Skip to content
Verified reproduction

CVE-2026-53513: @better-auth/sso <1.6.11 allows non-blind SSRF via unvalidated OIDC endpoint URLs during SSO provider registration, with potential account takeover when trustEmailVerified is enabled.

CVE-2026-53513 is verified against @better-auth/sso · npm affected versions: >=0.1.0, <1.6.11 (also 1.7.0-beta.x) fixed version: 1.6.11 vulnerability class: SSRF This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00274.

REPRO-2026-00274 @better-auth/sso · npm SSRF Variant found Jul 8, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 30m 49s
Tool calls 281
Spend $5.19
Affected >=0.1.0, <1.6.11 (also 1.7.0-beta.x)
Fixed in 1.6.11
$ pruva-verify REPRO-2026-00274
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00274/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

The @better-auth/sso plugin accepts attacker-controlled OIDC endpoint URLs when skipDiscovery: true during SSO provider registration or update. These URLs are persisted without validation and later fetched server-side during OIDC callbacks, enabling non-blind SSRF. If trustEmailVerified: true is enabled, attacker-controlled userInfo responses can trigger account linking for an existing email, leading to account takeover.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.