Am I affected? Users are affected if all of the following are true: Their application uses better-auth at a version < 1.6.11 on the stable line, or any current next pre-release. emailAndPassword.enabled: true is set in…
| CVE ID | CVE-2026-53516 |
| Vendor | npm |
| Affected Product | better-auth |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.3 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
better-auth at a version < 1.6.11 on the stable line, or any current next pre-release.emailAndPassword.enabled: true is set in their application's betterAuth({ ... }) configuration.genericOAuth(...), or any provider via @better-auth/sso).account.accountLinking.disableImplicitLinking is not set to true.account.accountLinking.enabled is not set to false. Setting either disableImplicitLinking: true or enabled: false closes the hole at the cost of breaking the standard "add another login method" UX. emailAndPassword.requireEmailVerification: true does not mitigate, because theSigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.