HomeCVE Intelligence › CVE-2026-53516
CVSS 8.3 HIGH Vulnerability

CVE-2026-53516: Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registere…

Am I affected? Users are affected if all of the following are true: Their application uses better-auth at a version < 1.6.11 on the stable line, or any current next pre-release. emailAndPassword.enabled: true is set in…

8.3CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-53516
Vendornpm
Affected Productbetter-auth
Vulnerability TypeVulnerability
CVSS Score8.3 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Am I affected? Users are affected if all of the following are true: - Their application uses better-auth at a version < 1.6.11 on the stable line, or any current next pre-release.

emailAndPassword.enabled: true is set in their application's betterAuth({ ... }) configuration.
• At least one OAuth or SSO provider is configured (any built-in social provider, or genericOAuth(...), or any provider via @better-auth/sso).
account.accountLinking.disableImplicitLinking is not set to true.
account.accountLinking.enabled is not set to false. Setting either disableImplicitLinking: true or enabled: false closes the hole at the cost of breaking the standard "add another login method" UX. emailAndPassword.requireEmailVerification: true does not mitigate, because the

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-53516 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence