Better Auth OAuth Client Creation Bypass Vulnerability Allowing Unauthorized Client Registration

A vulnerability exists in Better Auth's OAuth client creation process, specifically in versions 1.4.8-beta.7 prior to 1.6.5 and 1.7.0-beta.0 through 1.7.0-beta.1. The issue arises because the clientPrivileges option, intended to restrict client registration, was not properly enforced. As a result, any authenticated user could register an OAuth client with custom redirect URIs and metadata, bypassing the intended restrictions. This vulnerability is particularly concerning for deployments that relied on clientPrivileges to control who could create OAuth clients.

Impact

Exploitation of this vulnerability allows any authenticated user to register OAuth clients with attacker-chosen redirect URIs and metadata, undermining the clientPrivileges restriction. This unauthorized client registration could be exploited to create phishing scenarios, presenting as legitimate first-party applications. Additionally, if the SERVER_ONLY admin creation endpoint is accessible to low-privilege users, it could expose sensitive fields like skip_consent.

Remediation

Users can upgrade to Better Auth version 1.6.5, where this vulnerability is fixed. If an immediate upgrade is not possible, the /oauth2/create-client and /admin/oauth2/create-client routes can be blocked at the reverse proxy or middleware layer for users who should not be able to register clients. It is also advisable not to expose the admin creation endpoint, as it is intended for server use only and should not be accessible to end-user sessions.