GHSA-xr8f-h2gw-9xh6: OAuth 2.1 Provider: Unprivileged users can register OAuth clients

April 16, 2026

An authorization bypass in the OAuth provider allows any authenticated low-privilege user to create OAuth clients even when the deployment configures clientPrivileges to restrict client creation. The option contract explicitly includes a create action, but the create paths never invoke that callback, so applications that rely on clientPrivileges for RBAC can be silently misconfigured into allowing unauthorized client registration.

References

github.com/advisories/GHSA-xr8f-h2gw-9xh6
github.com/better-auth/better-auth
github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6

Code Behaviors & Features

Detect and mitigate GHSA-xr8f-h2gw-9xh6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →