CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-J8V8-G9CX-5QF4

GHSA-J8V8-G9CX-5QF4: Missing Authorization and Access Control Flaw in @better-auth/scim

Alon Barad
Alon Barad
Software Engineer

Jul 7, 2026·6 min read·5 visits

Executive Summary (TL;DR)

A missing authorization check in @better-auth/scim allows any logged-in user to regenerate tokens for personal SCIM providers, delete existing configurations, and use hijacked administrative privileges to manipulate and take over target user accounts.

An authorization bypass vulnerability in the @better-auth/scim plugin allows authenticated attackers to hijack personal SCIM providers and subsequently perform full account takeovers.

Vulnerability Overview

The @better-auth/scim plugin, part of the better-auth monorepo, provides System for Cross-domain Identity Management (SCIM) integration capabilities. This plugin exposes endpoints to manage directory synchronization, allowing applications to securely provision users and groups. The plugin differentiates between organization-scoped SCIM providers and personal (non-organizational) SCIM providers.

The vulnerability is classified under CWE-862: Missing Authorization and CWE-284: Improper Access Control. When a SCIM provider is configured without an associated organization ID, the endpoints managing token generation fail to validate that the requesting user owns or has permission to modify the provider. This allows any authenticated user within the system to interact with and alter configurations belonging to other tenants or individuals.

The attack surface is accessible via the standard HTTP endpoints registered by the SCIM plugin. Because the token generation endpoint processes requests without checking user-to-provider mappings for personal integrations, unauthorized individuals can overwrite existing providers. The downstream impact of this bypass includes complete account takeovers via administrative SCIM APIs.

Root Cause Analysis

The root cause of this vulnerability lies within the authorization middleware helper function assertSCIMProviderAccess defined in packages/scim/src/routes.ts. When a token generation request is submitted to /scim/generate-token, the system checks if a provider with the given providerId already exists. If the provider is found, it calls assertSCIMProviderAccess to verify access permissions.

The check function executes specific logic based on the presence of an organizationId. If the provider is organizational, membership and role checks are performed. However, if the provider is personal (meaning organizationId is empty or undefined), the application attempts to evaluate ownership via the userId field.

In affected versions, the scimProvider table schema does not store or enforce a userId column by default, causing provider.userId to resolve to undefined. When evaluating else if (provider.userId && provider.userId !== userId), the falsy value of provider.userId causes the entire block to be skipped. Consequently, the function returns successfully without throwing an error, indicating the user has authorization when they do not.

Code Analysis

In the vulnerable path, the /scim/generate-token handler processes requests with a schema validating providerId and an optional organizationId. The handler then queries the database schema to locate the provider:

const scimProvider = await ctx.context.adapter.findOne<SCIMProvider>({
    model: "scimProvider",
    where: [
        { field: "providerId", value: providerId },
        ...(organizationId
            ? [{ field: "organizationId", value: organizationId }]
            : []),
    ],
});

If the provider is matched, authorization checks are delegated. Below is the vulnerable implementation of assertSCIMProviderAccess in routes.ts prior to the remediation:

async function assertSCIMProviderAccess(
	ctx: GenericEndpointContext,
	userId: string,
	provider: SCIMProvider,
	requiredRole: string[],
): Promise<void> {
	if (provider.organizationId) {
		// ... organization validation logic ...
	} else if (provider.userId && provider.userId !== userId) {
		// Vulnerability: If provider.userId is undefined, this block is bypassed
		throw new APIError("FORBIDDEN", {
			message: "You must be the owner to access this provider",
		});
	}
	// Implicit return (void) results in successful access validation
}

Because the database schema did not require or populate the userId column for personal providers, the variable provider.userId evaluated to undefined. The logic assumed that any personal provider must have a valid userId string assigned to it. Because this was not enforced, the condition failed safe for the attacker rather than failing closed, resulting in complete validation avoidance.

Exploitation Methodology

An authenticated attacker with standard permissions can exploit this vulnerability to take over any personal SCIM connection. The attack is performed in several distinct phases, beginning with target discovery and concluding with administrative modification of user accounts.

First, the attacker identifies a target providerId representing an active personal SCIM configuration. They then make a direct POST request to the token generation API using their own authentication credentials:

POST /scim/generate-token HTTP/1.1
Host: vulnerable-app.local
Authorization: Bearer <attacker_session_token>
Content-Type: application/json
 
{
  "providerId": "target-personal-provider-id"
}

The server processes the request, bypasses authorization because provider.userId is absent, deletes the victim's existing SCIM provider record, and creates a new database entry associated with the same providerId. The server then returns a freshly generated administrative token to the attacker.

HTTP/1.1 201 Created
Content-Type: application/json
 
{
  "scimToken": "ZXhhbXBsZXRva2VuOnZpY3RpbS1wcm92aWRlci1pZA=="
}

Armed with this administrative token, the attacker calls the SCIM Users endpoint to modify targeted user metadata, such as replacing a victim's email address with one controlled by the attacker. This allows the attacker to complete an account takeover via standard password-reset or magic-link flows.

Impact Assessment

The impact of this vulnerability is critical. Successful exploitation leads to a complete breakdown of multi-tenant or multi-user isolation for personal SCIM integrations. The attack allows unprivileged users to disable existing integrations and take control of administrative directory synchronization mechanisms.

Once the attacker generates a valid token, they gain write access to SCIM resources, allowing the arbitrary creation, modification, and deletion of users. The modification of highly privileged users (such as administrators) allows immediate lateral movement and broader system compromise. The attacker can effectively lock legitimate users out of their accounts while establishing persistent administrative access.

This flaw is tracked as GHSA-J8V8-G9CX-5QF4. While no CVE has been assigned to this advisory at the time of writing, the underlying access control failure matches the characteristics of high-severity privilege escalation vectors.

Remediation and Defensive Configuration

To address this vulnerability, administrators and developers must upgrade @better-auth/scim to version v1.7.0-beta.4 or higher. The patch introduces the providerOwnership security control to properly associate and validate the creating user of a SCIM provider.

Because automating database migrations on live SQL databases can lead to service interruptions, the ownership control is not enabled by default. Developers must explicitly modify their Better Auth configuration to enable ownership tracking and enforce security restrictions:

import { scim } from "@better-auth/scim";
 
export const auth = new BetterAuth({
    plugins: [
        scim({
            providerOwnership: {
                enabled: true
            },
            canGenerateToken: async ({ user, providerId, organizationId }) => {
                // Restrict personal SCIM provider generation to authorized administrators
                if (!organizationId) {
                    return user.role === "super-admin";
                }
                return true;
            }
        })
    ]
});

In addition to the code changes, the database schema must be updated to include the missing userId column on the scimProvider table. The following SQL command performs the required modification:

ALTER TABLE "scimProvider" ADD COLUMN "userId" TEXT;

Applying both the package upgrade and the manual database schema migration ensures that ownership metadata is populated and evaluated correctly during token generation requests.

Official Patches

Better AuthBetter Auth SCIM Release v1.7.0-beta.4 containing fix logic

Technical Appendix

CVSS Score
8.8/ 10

Affected Systems

Applications utilizing the @better-auth/scim plugin within the better-auth ecosystem.

Affected Versions Detail

Product
Affected Versions
Fixed Version
@better-auth/scim
Better Auth
< 1.7.0-beta.41.7.0-beta.4
AttributeDetail
CWE IDCWE-862 (Missing Authorization)
Attack VectorNetwork
CVSS Score8.8
ImpactProvider hijacking and Account Takeover
Exploit Statusnone
KEV StatusNot listed

MITRE ATT&CK Mapping

T1098Account Manipulation
Persistence
T1078Valid Accounts
Initial Access
T1531Account Access Removal
Impact

Vulnerability Timeline

Vulnerability identified in routes.ts file.
2025-02-05
Code fixes integrated and committed.
2025-02-07
Release version v1.7.0-beta.4 published.
2025-02-10
GitHub Security Advisory GHSA-J8V8-G9CX-5QF4 disclosed.
2025-02-12

References & Sources

  • [1]GHSA-J8V8-G9CX-5QF4 Advisory Entry
  • [2]Better Auth Main Repository
  • [3]SCIM Route Declarations Source Code
  • [4]SCIM Plugin Index Entry Source Code

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•27 minutes ago•GHSA-9H47-PQCX-HJR4
9.8

GHSA-9H47-PQCX-HJR4: Insecure Cryptographic Defaults in Better Auth OIDC Provider

The Better Auth framework's OIDC provider implementation (oidcProvider) contained insecure cryptographic defaults before version 1.6.11. It advertised the insecure alg=none signing algorithm and accepted plain PKCE challenges by default, leaving downstream clients vulnerable to token signature bypasses and authorization code interception attacks.

Alon Barad
Alon Barad
1 views•6 min read
•about 1 hour ago•GHSA-2VG6-77G8-24MP
3.8

GHSA-2vg6-77g8-24mp: Insufficient Session Expiration via Incomplete Cleanup in Better Auth Ecosystem

A critical session persistence vulnerability exists within the Better Auth framework when configured to use external secondary storage (such as Redis or Cloudflare KV) with default database options. Due to four incomplete user-deletion code paths, active user sessions are not evicted from secondary storage caches during deletion events. As a result, deleted users retain full system access via their pre-existing session cookies until the Session Time-To-Live (TTL) expires.

Amit Schendel
Amit Schendel
2 views•5 min read
•about 2 hours ago•GHSA-FQF6-GXHH-2XHW
6.6

GHSA-FQF6-GXHH-2XHW: Silent Data Loss and Behavioral Mismatch in uutils coreutils Backup Logic

A behavioral mismatch vulnerability (CWE-701) in the Rust-based uutils coreutils implementation of common command-line utilities allows silent data loss. When the --suffix argument is executed without explicit backup flags, the uucore library fails to enter backup mode, silently overwriting target files instead of creating preserving copies as expected under GNU standards.

Amit Schendel
Amit Schendel
5 views•7 min read
•about 3 hours ago•CVE-2025-46571
5.4

CVE-2025-46571: Stored Cross-Site Scripting (XSS) in Open WebUI

Open WebUI versions prior to 0.6.6 contain a stored cross-site scripting (XSS) vulnerability that allows low-privileged users to upload malicious HTML files containing arbitrary JavaScript. When viewed by an administrator, the executed script can abuse administrative APIs to register malicious functions, leading to remote code execution on the underlying server host.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 4 hours ago•CVE-2025-46719
7.4

CVE-2025-46719: Stored XSS and Administrative RCE in Open WebUI

A critical Stored Cross-Site Scripting (XSS) vulnerability exists in Open WebUI versions prior to 0.6.6. The vulnerability resides in client-side Markdown rendering, where unvalidated iframe tags containing local API base URLs bypass DOMPurify sanitization. This flaw allows authenticated attackers to steal user session tokens. If an administrative session is compromised, the attacker can leverage the application's native Python execution capabilities ('Functions') to achieve arbitrary Remote Code Execution (RCE) on the hosting server.

Alon Barad
Alon Barad
4 views•6 min read
•about 4 hours ago•CVE-2026-26192
7.3

CVE-2026-26192: Stored Cross-Site Scripting via Insecure Iframe Sandbox in Open WebUI

CVE-2026-26192 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in Open WebUI prior to version 0.7.0. Authenticated users can modify chat history metadata to force document citations to render inside an HTML iframe configured with an insecure sandbox policy. By combining 'allow-scripts' and 'allow-same-origin', the sandbox boundary is neutralized. This allows scripts executing within the iframe to access the parent window's DOM, extract sensitive Web UI local storage keys (such as authentication JWTs), and perform state-changing actions on behalf of other users, including administrators.

Amit Schendel
Amit Schendel
5 views•6 min read