Better Auth's SSRF flaw, tracked as CVE-2026-53513, lets any logged-in user reach internal services. The bug carries a CVSS score of 9.6 and sits in the @better-auth/sso plugin. Maintainers fixed it in version 1.6.11, so upgrade quickly. An attacker with a normal session can read responses from internal endpoints, including cloud metadata services like AWS IMDS, plus Redis or admin panels bound to localhost. The flaw lives in the plugin’s provider registration flow and stores OIDC endpoint URLs without checking their origin. Later, during the OIDC callback, the server fetches those URLs and reflects the response body through the user profile. This makes it a non-blind SSRF. Any 1.7.0-beta.x release on the pre-release line is also vulnerable. You are exposed only if the sso plugin sits in your betterAuth plugins array. By contrast, deployments without the SSO plugin stay safe affecting @better-auth/sso versions The issue affects @better-auth/sso from 0.
We recommend you to update @better-auth/sso to version 1.6.11.[/subscribe_to_unlock_form]
Better Auth's SSRF flaw, tracked as CVE-2026-53513, lets any logged-in user reach internal services. The bug carries a CVSS score of 9.6 and sits in the @better-auth/sso plugin. Maintainers fixed it in version 1.6.11, so upgrade quickly. An attacker with a normal session can read responses from internal endpoints, including cloud metadata services like AWS IMDS, plus Redis or admin panels bound to localhost. The flaw lives in the plugin’s provider registration flow and stores OIDC endpoint URLs without checking their origin. Later, during the OIDC callback, the server fetches those URLs and reflects the response body through the user profile. This makes it a non-blind SSRF. Any 1.7.0-beta.x release on the pre-release line is also vulnerable. You are exposed only if the sso plugin sits in your betterAuth plugins array. By contrast, deployments without the SSO plugin stay safe affecting @better-auth/sso versions The issue affects @better-auth/sso from 0.
We recommend you to update @better-auth/sso to version 1.6.11.[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]