ContextQMD
Back to Better Auth

Security update: June 2026

docs/content/blogs/security-update-june-2026.mdx

1.6.1510.4 KB
Original Source

Security update: June 2026

Better Auth 1.6.14 is the current stable release. Stable projects should update to the latest 1.6.x version.

This update bundles a number of fixes, and we have published GitHub advisories for every reported issue. Some advisories affect scoped packages such as @better-auth/sso, @better-auth/scim, or @better-auth/oauth-provider. Update any Better Auth packages you install directly, not only the top-level better-auth package.

bash
pnpm add better-auth@latest

Most stable-line advisories are covered by the latest 1.6.x release. A few advisories require the next package channel or a documented workaround because the complete fix changes behavior. In those cases, follow the linked advisory for the exact upgrade path.

We have also started a dedicated security-review workstream across Better Auth and its plugins. It covers report triage, focused code review, automated and manual scanning, variant analysis, patch review, release coordination, and advisory publication.

Published Advisories

The tables below cover the advisories published in this security cycle, grouped by the affected component. The full historical list remains available in the Security Advisories tab.

Core (better-auth)

AdvisoryAreaSeverityFixed path
GHSA-g38m-r43w-p2q7OAuth account linking ownershipHigh[email protected]
GHSA-2vg6-77g8-24mpSession cleanup after user deletionLow[email protected], @better-auth/[email protected]

Organization

AdvisoryAreaSeverityFixed path
GHSA-fmh4-wcc4-5jm3Organization invitation ownershipHigh[email protected], with compatibility follow-up in [email protected]

Device Authorization

AdvisoryAreaSeverityFixed path
GHSA-cq3f-vc6p-68fh (CVE-2026-45337)Device-flow owner bindingHigh[email protected]

OAuth Provider (@better-auth/oauth-provider)

AdvisoryAreaSeverityFixed path
GHSA-xr8f-h2gw-9xh6 (CVE-2026-41427)OAuth client privilege checksHigh@better-auth/[email protected]
GHSA-7w99-5wm4-3g79OAuth authorization-code redemptionHigh[email protected], @better-auth/[email protected]
GHSA-392p-2q2v-4372OAuth refresh-token rotationHigh@better-auth/[email protected]
GHSA-p2fr-6hmx-4528OAuth resource indicatorsMedium@better-auth/[email protected]

SCIM (@better-auth/scim)

AdvisoryAreaSeverityFixed path
GHSA-j8v8-g9cx-5qf4SCIM provider ownershipHigh@better-auth/[email protected]

SSO (@better-auth/sso)

AdvisoryAreaSeverityFixed path
GHSA-5rr4-8452-hf4vSSO provider registration URL validationCritical@better-auth/[email protected]
GHSA-gv74-j8m3-fg5fSSO provider registration authorizationHigh@better-auth/[email protected]

Deprecated plugins (OIDC and MCP)

The oidcProvider and mcp plugins have been deprecated for roughly half a year and will be removed from the library in 1.7. For the advisories below we strongly recommend migrating to @better-auth/oauth-provider rather than relying on continued patches to these plugins.

AdvisoryAreaSeverityFixed path
GHSA-pw9m-5jxm-xr6hOIDC and MCP refresh-token handlingCritical[email protected]
GHSA-86j7-9j95-vpqjOIDC and MCP redirect URI validationHigh[email protected], [email protected]
GHSA-9h47-pqcx-hjr4OIDC and MCP protocol defaultsHigh[email protected]

Each advisory has the exact affected ranges, fixed versions, and package names. The tables are a quick index, not a replacement for the advisory body. If your project uses one of the affected plugins, read the linked advisory before deciding that a top-level better-auth update is enough.

Stable and Breaking Fixes

Security fixes often sit between two constraints: users need a patch quickly, and stable releases should not break existing applications unless there is no safe alternative.

Our stable line is still the first place we try to ship a fix. When the fix can preserve public types, defaults, and request or response shapes, it goes into the following 1.6.x release. That is the preferred path because most users can update without changing application code.

Some issues require a stronger default or a different API contract. In those cases, we have three options:

  • Ship a compatible stable fix and document the stricter configuration.
  • Ship the complete fix through the next package channel when stable compatibility would hide the risk.
  • Publish a workaround in the advisory when the stable line cannot safely take the breaking change.

If a compatibility release changes the recommended secure posture after publication, we will update the advisory body and metadata. Release notes alone are not enough for downstream audit tools.

How to Stay Current

  • Update stable projects to better-auth@latest. As of this update, that is 1.6.14.
  • Update next channel projects to the version named in the advisory. Several current advisories point to 1.7.0-beta.4.
  • Update scoped Better Auth packages too. Several advisories affect packages such as @better-auth/sso, @better-auth/scim, and @better-auth/oauth-provider.
  • Watch the repository releases. The Releases page shows each patch release.
  • Watch the advisory feed. The Security Advisories tab is the source of truth for affected and fixed ranges.
  • Run audit tools against your lockfile. GitHub Dependabot and npm audit both consume advisory metadata.

Thanks

Thank you to the researchers, contributors, maintainers, and users who reported issues, tested fixes, and reviewed patches during this cycle. As LLMs lower the bar for attackers, especially in open source software, covering the surfaces that matter and responding to the community's security reports remains one of our top priorities.