The vulnerability arises because the clientPrivileges hook—intended to restrict OAuth client creation based on configured permissions—is never invoked before persisting new clients. This issue represents a CWE-863 vulnerability, reflecting an authorization bypass through user-controlled input. Consequently, any authenticated user can call the create endpoints and register a client with attacker‑chosen redirect URLs and metadata. This allows the attacker to craft a malicious OAuth client that can harvest authorization codes, redirect users to phishing sites, or otherwise compromise the integrity of the OAuth flow.

The affected product is Better Auth, an authentication and authorization library for TypeScript, including its oauth-provider module. All releases prior to 1.6.5 are affected; version 1.6.5 and later contain the fix.

The CVSS base score is 7.1, indicating medium to high severity, while the EPSS score is less than 1 %, pointing to a low likelihood of exploitation at present. The issue is not listed in the CISA KEV catalog. The flaw can be exploited only by authenticated users who can access the OAuth client registration endpoints, which means that an internal actor or an attacker who has compromised credentials could register malicious clients. Such a client can redirect auth codes to attacker‑controlled endpoints, effectively hijacking user sessions or credential grants. The recommendation is to apply the library update, enforce the clientPrivileges setting, and audit existing client registrations for anomalous redirect URIs.