Jul 7, 2026·6 min read·5 visits
A missing authorization check in @better-auth/scim allows any logged-in user to regenerate tokens for personal SCIM providers, delete existing configurations, and use hijacked administrative privileges to manipulate and take over target user accounts.
An authorization bypass vulnerability in the @better-auth/scim plugin allows authenticated attackers to hijack personal SCIM providers and subsequently perform full account takeovers.
The @better-auth/scim plugin, part of the better-auth monorepo, provides System for Cross-domain Identity Management (SCIM) integration capabilities. This plugin exposes endpoints to manage directory synchronization, allowing applications to securely provision users and groups. The plugin differentiates between organization-scoped SCIM providers and personal (non-organizational) SCIM providers.
The vulnerability is classified under CWE-862: Missing Authorization and CWE-284: Improper Access Control. When a SCIM provider is configured without an associated organization ID, the endpoints managing token generation fail to validate that the requesting user owns or has permission to modify the provider. This allows any authenticated user within the system to interact with and alter configurations belonging to other tenants or individuals.
The attack surface is accessible via the standard HTTP endpoints registered by the SCIM plugin. Because the token generation endpoint processes requests without checking user-to-provider mappings for personal integrations, unauthorized individuals can overwrite existing providers. The downstream impact of this bypass includes complete account takeovers via administrative SCIM APIs.
The root cause of this vulnerability lies within the authorization middleware helper function assertSCIMProviderAccess defined in packages/scim/src/routes.ts. When a token generation request is submitted to /scim/generate-token, the system checks if a provider with the given providerId already exists. If the provider is found, it calls assertSCIMProviderAccess to verify access permissions.
The check function executes specific logic based on the presence of an organizationId. If the provider is organizational, membership and role checks are performed. However, if the provider is personal (meaning organizationId is empty or undefined), the application attempts to evaluate ownership via the userId field.
In affected versions, the scimProvider table schema does not store or enforce a userId column by default, causing provider.userId to resolve to undefined. When evaluating else if (provider.userId && provider.userId !== userId), the falsy value of provider.userId causes the entire block to be skipped. Consequently, the function returns successfully without throwing an error, indicating the user has authorization when they do not.
In the vulnerable path, the /scim/generate-token handler processes requests with a schema validating providerId and an optional organizationId. The handler then queries the database schema to locate the provider:
const scimProvider = await ctx.context.adapter.findOne<SCIMProvider>({
model: "scimProvider",
where: [
{ field: "providerId", value: providerId },
...(organizationId
? [{ field: "organizationId", value: organizationId }]
: []),
],
});If the provider is matched, authorization checks are delegated. Below is the vulnerable implementation of assertSCIMProviderAccess in routes.ts prior to the remediation:
async function assertSCIMProviderAccess(
ctx: GenericEndpointContext,
userId: string,
provider: SCIMProvider,
requiredRole: string[],
): Promise<void> {
if (provider.organizationId) {
// ... organization validation logic ...
} else if (provider.userId && provider.userId !== userId) {
// Vulnerability: If provider.userId is undefined, this block is bypassed
throw new APIError("FORBIDDEN", {
message: "You must be the owner to access this provider",
});
}
// Implicit return (void) results in successful access validation
}Because the database schema did not require or populate the userId column for personal providers, the variable provider.userId evaluated to undefined. The logic assumed that any personal provider must have a valid userId string assigned to it. Because this was not enforced, the condition failed safe for the attacker rather than failing closed, resulting in complete validation avoidance.
An authenticated attacker with standard permissions can exploit this vulnerability to take over any personal SCIM connection. The attack is performed in several distinct phases, beginning with target discovery and concluding with administrative modification of user accounts.
First, the attacker identifies a target providerId representing an active personal SCIM configuration. They then make a direct POST request to the token generation API using their own authentication credentials:
POST /scim/generate-token HTTP/1.1
Host: vulnerable-app.local
Authorization: Bearer <attacker_session_token>
Content-Type: application/json
{
"providerId": "target-personal-provider-id"
}The server processes the request, bypasses authorization because provider.userId is absent, deletes the victim's existing SCIM provider record, and creates a new database entry associated with the same providerId. The server then returns a freshly generated administrative token to the attacker.
HTTP/1.1 201 Created
Content-Type: application/json
{
"scimToken": "ZXhhbXBsZXRva2VuOnZpY3RpbS1wcm92aWRlci1pZA=="
}Armed with this administrative token, the attacker calls the SCIM Users endpoint to modify targeted user metadata, such as replacing a victim's email address with one controlled by the attacker. This allows the attacker to complete an account takeover via standard password-reset or magic-link flows.
The impact of this vulnerability is critical. Successful exploitation leads to a complete breakdown of multi-tenant or multi-user isolation for personal SCIM integrations. The attack allows unprivileged users to disable existing integrations and take control of administrative directory synchronization mechanisms.
Once the attacker generates a valid token, they gain write access to SCIM resources, allowing the arbitrary creation, modification, and deletion of users. The modification of highly privileged users (such as administrators) allows immediate lateral movement and broader system compromise. The attacker can effectively lock legitimate users out of their accounts while establishing persistent administrative access.
This flaw is tracked as GHSA-J8V8-G9CX-5QF4. While no CVE has been assigned to this advisory at the time of writing, the underlying access control failure matches the characteristics of high-severity privilege escalation vectors.
To address this vulnerability, administrators and developers must upgrade @better-auth/scim to version v1.7.0-beta.4 or higher. The patch introduces the providerOwnership security control to properly associate and validate the creating user of a SCIM provider.
Because automating database migrations on live SQL databases can lead to service interruptions, the ownership control is not enabled by default. Developers must explicitly modify their Better Auth configuration to enable ownership tracking and enforce security restrictions:
import { scim } from "@better-auth/scim";
export const auth = new BetterAuth({
plugins: [
scim({
providerOwnership: {
enabled: true
},
canGenerateToken: async ({ user, providerId, organizationId }) => {
// Restrict personal SCIM provider generation to authorized administrators
if (!organizationId) {
return user.role === "super-admin";
}
return true;
}
})
]
});In addition to the code changes, the database schema must be updated to include the missing userId column on the scimProvider table. The following SQL command performs the required modification:
ALTER TABLE "scimProvider" ADD COLUMN "userId" TEXT;Applying both the package upgrade and the manual database schema migration ensures that ownership metadata is populated and evaluated correctly during token generation requests.
| Product | Affected Versions | Fixed Version |
|---|---|---|
@better-auth/scim Better Auth | < 1.7.0-beta.4 | 1.7.0-beta.4 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-862 (Missing Authorization) |
| Attack Vector | Network |
| CVSS Score | 8.8 |
| Impact | Provider hijacking and Account Takeover |
| Exploit Status | none |
| KEV Status | Not listed |
The Better Auth framework's OIDC provider implementation (oidcProvider) contained insecure cryptographic defaults before version 1.6.11. It advertised the insecure alg=none signing algorithm and accepted plain PKCE challenges by default, leaving downstream clients vulnerable to token signature bypasses and authorization code interception attacks.
A critical session persistence vulnerability exists within the Better Auth framework when configured to use external secondary storage (such as Redis or Cloudflare KV) with default database options. Due to four incomplete user-deletion code paths, active user sessions are not evicted from secondary storage caches during deletion events. As a result, deleted users retain full system access via their pre-existing session cookies until the Session Time-To-Live (TTL) expires.
A behavioral mismatch vulnerability (CWE-701) in the Rust-based uutils coreutils implementation of common command-line utilities allows silent data loss. When the --suffix argument is executed without explicit backup flags, the uucore library fails to enter backup mode, silently overwriting target files instead of creating preserving copies as expected under GNU standards.
Open WebUI versions prior to 0.6.6 contain a stored cross-site scripting (XSS) vulnerability that allows low-privileged users to upload malicious HTML files containing arbitrary JavaScript. When viewed by an administrator, the executed script can abuse administrative APIs to register malicious functions, leading to remote code execution on the underlying server host.
A critical Stored Cross-Site Scripting (XSS) vulnerability exists in Open WebUI versions prior to 0.6.6. The vulnerability resides in client-side Markdown rendering, where unvalidated iframe tags containing local API base URLs bypass DOMPurify sanitization. This flaw allows authenticated attackers to steal user session tokens. If an administrative session is compromised, the attacker can leverage the application's native Python execution capabilities ('Functions') to achieve arbitrary Remote Code Execution (RCE) on the hosting server.
CVE-2026-26192 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in Open WebUI prior to version 0.7.0. Authenticated users can modify chat history metadata to force document citations to render inside an HTML iframe configured with an insecure sandbox policy. By combining 'allow-scripts' and 'allow-same-origin', the sandbox boundary is neutralized. This allows scripts executing within the iframe to access the parent window's DOM, extract sensitive Web UI local storage keys (such as authentication JWTs), and perform state-changing actions on behalf of other users, including administrators.