CVE-2026-41427
OAuth 2.1 Provider: Unprivileged users can register OAuth clients
Description
### Am I affected? You're affected if all of the following are true: - Using @better-auth/oauth-provider at version specified below - You configured clientPrivileges in the plugin options expecting it to gate who can create OAuth clients - The /oauth2/create-client or /admin/oauth2/create-client endpoints are reachable by authenticated users you don't fully trust If clientPrivileges is not configured, this bug has no security consequence for your deployment --- ### Summary The clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. Non-create operations (read, list, update, delete, rotate) enforced the hook correctly. Only the create path was missing the check. ### Impact - Unauthorized registration of OAuth clients by any authenticated user, under deployments that expected clientPrivileges to block them. - Attacker-controlled redirect_uris on those clients enable phishing flows that present as registered first-party applications. - If the SERVER_ONLY admin creation endpoint is also exposed to low-privilege users (a separate deployment misconfiguration), additional sensitive fields including `skip_consent` become writable. ### Patches Fixed in `@better-auth/oauth-provider@1.6.5` Both create endpoints now call the clientPrivileges hook with action "create" before persisting the client record. ### Workarounds If you cannot upgrade immediately: - Block the /oauth2/create-client and /admin/oauth2/create-client routes at your reverse proxy or middleware layer for any user who should not be able to register clients. - Do not expose the admin creation endpoint (it is SERVER_ONLY by design and should not be reachable by end-user sessions).
How to fix CVE-2026-41427
To remediate CVE-2026-41427, upgrade the affected package to a fixed version below.
- —upgrade to 1.6.5 or later
Is CVE-2026-41427 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.