CVE-2026-41427: OAuth 2.1 Provider: Unprivileged users can register OAuth clients

April 16, 2026 (updated April 27, 2026)

The clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata.

Non-create operations (read, list, update, delete, rotate) enforced the hook correctly. Only the create path was missing the check.

References

github.com/advisories/GHSA-xr8f-h2gw-9xh6
github.com/better-auth/better-auth
github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6
nvd.nist.gov/vuln/detail/CVE-2026-41427

Code Behaviors & Features

Detect and mitigate CVE-2026-41427 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →