While working on agents project, I reviewed the dependency manifest and found that it uses a vulnerable version of @better-auth/oauth-provider. During analysis, I discovered that access control checks for OAuth client creation are not properly enforced. This allows low-privilege authenticated users to create OAuth clients even when restrictions (clientPrivileges) are configured.
CVE Report
CVE Link
While working on agents project, I reviewed the dependency manifest and found that it uses a vulnerable version of
@better-auth/oauth-provider. During analysis, I discovered that access control checks for OAuth client creation are not properly enforced. This allows low-privilege authenticated users to create OAuth clients even when restrictions (clientPrivileges) are configured.CVE Report
CVE Link