Summary
OAuth 2.1 Provider: Unprivileged users can register OAuth clients
Full technical description
Am I affected?
You're affected if all of the following are true:
- Using @better-auth/oauth-provider at version specified below
- You configured clientPrivileges in the plugin options expecting it to gate who can create OAuth clients
- The /oauth2/create-client or /admin/oauth2/create-client endpoints are reachable by authenticated users you don't fully trust
If clientPrivileges is not configured, this bug has no security consequence for your deployment
Summary
The clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted, any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata.
Non-create operations (read, list, update, delete, rotate) enforced the hook correctly. Only the create path was missing the check.
Workarounds
If you cannot upgrade immediately:
- Block the /oauth2/create-client and /admin/oauth2/create-client routes at your reverse proxy or middleware layer for any user who should not be able to register clients.
- Do not expose the admin creation endpoint (it is SERVER_ONLY by design and should not be reachable by end-user sessions).
Impact
- Unauthorized registration of OAuth clients by any authenticated user, under deployments that expected clientPrivileges to block them.
- Attacker-controlled redirect_uris on those clients enable phishing flows that present as registered first-party applications.
- If the SERVER_ONLY admin creation endpoint is also exposed to low-privilege users (a separate deployment misconfiguration), additional sensitive fields including
skip_consentbecome writable.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Fixed in @better-auth/[email protected] Both create endpoints now call the clientPrivileges hook with action "create" before persisting the client record.
Frequently Asked Questions
- What is CVE-2026-41427? CVE-2026-41427 is a high-severity incorrect authorization vulnerability in @better-auth/oauth-provider (npm), affecting versions >= 1.4.8-beta.7, < 1.6.5. It is fixed in 1.6.5. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- Which versions of @better-auth/oauth-provider are affected by CVE-2026-41427? @better-auth/oauth-provider (npm) versions >= 1.4.8-beta.7, < 1.6.5 is affected.
- Is there a fix for CVE-2026-41427? Yes. CVE-2026-41427 is fixed in 1.6.5. Upgrade to this version or later.
- Is CVE-2026-41427 exploitable, and should I be worried? Whether CVE-2026-41427 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-41427 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-41427? Upgrade
@better-auth/oauth-providerto 1.6.5 or later.