CVE-2026-53513: @better-auth/sso <1.6.11 allows non-blind SSRF via unvalidated OIDC endpoint URLs during SSO provider registration, with potential account takeover when trustEmailVerified is enabled.
CVE-2026-53513 is verified against @better-auth/sso · npm affected versions: >=0.1.0, <1.6.11 (also 1.7.0-beta.x) fixed version: 1.6.11 vulnerability class: SSRF This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00274.
pruva-verify REPRO-2026-00274 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00274/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh The @better-auth/sso plugin accepts attacker-controlled OIDC endpoint URLs when skipDiscovery: true during SSO provider registration or update. These URLs are persisted without validation and later fetched server-side during OIDC callbacks, enabling non-blind SSRF. If trustEmailVerified: true is enabled, attacker-controlled userInfo responses can trigger account linking for an existing email, leading to account takeover.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.