GHSA-J8V8-G9CX-5QF4: Missing Authorization and Access Control Flaw in @better-auth/scim
Vulnerability ID: GHSA-J8V8-G9CX-5QF4
CVSS Score: 8.8
Published: 2026-07-07
An authorization bypass vulnerability in the @better-auth/scim plugin allows authenticated attackers to hijack personal SCIM providers and subsequently perform full account takeovers.
TL;DR
A missing authorization check in @better-auth/scim allows any logged-in user to regenerate tokens for personal SCIM providers, delete existing configurations, and use hijacked administrative privileges to manipulate and take over target user accounts.
Technical Details
- CWE ID: CWE-862 (Missing Authorization)
- Attack Vector: Network
- CVSS Score: 8.8
- Impact: Provider hijacking and Account Takeover
- Exploit Status: none
- KEV Status: Not listed
Affected Systems
- Applications utilizing the @better-auth/scim plugin within the better-auth ecosystem.
-
@better-auth/scim: < 1.7.0-beta.4 (Fixed in:
1.7.0-beta.4)
Mitigation Strategies
- Upgrade @better-auth/scim to version v1.7.0-beta.4 or higher.
- Enable providerOwnership in the SCIM plugin configuration.
- Manually apply database migrations to append the userId column to the scimProvider schema.
- Implement restrictive policies in the canGenerateToken hook to limit who can generate personal SCIM integration tokens.
Remediation Steps:
- Identify the current version of @better-auth/scim in use.
- Update package dependencies to version v1.7.0-beta.4 or later.
- Execute database migration: ALTER TABLE "scimProvider" ADD COLUMN "userId" TEXT;
- Modify Better Auth initialization config to set providerOwnership.enabled to true.
- Restart application processes to load updated schema configurations.
References
- GHSA-J8V8-G9CX-5QF4 Advisory Entry
- Better Auth Main Repository
- SCIM Route Declarations Source Code
- SCIM Plugin Index Entry Source Code
Read the full report for GHSA-J8V8-G9CX-5QF4 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)