CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53514

highCVSS 7.7covered by 1 sourcefirst seen 2026-07-07
Am I affected? Users are affected if all of the following are true: - Their application uses better-auth with the organization plugin (import { organization } from "better-auth/plugins/organization"). - Their application enables a sign-up surface that allows arbitrary unverified email registration. Most commonly emailAndPassword: { enabled: true } without requireEmailVerification: true. - Their application has not set requireEmailVerificationOnInvitation: true on the organization() options. - Their application invitation distribution flow allows anyone other than the invited mailbox owner to obtain the invitationId. Examples: admin UI surfacing the link, copy-paste into chat, forwarded email, mail-forwarding rules at the recipient's domain, link previews logging the URL, or a custom sendInvitationEmail integration that sends to a non-owner channel. If their application set emailAndPassword: { enabled: true, requireEmailVerification: true } so unverified rows cannot reach a usable session, they are not affected. Setting requireEmailVerificationOnInvitation: true closes acceptInvitation and rejectInvitation, but getInvitation and listUserInvitations remain ungated even with that flag. Fix: 1. Upgrade to better-auth@1.6.11 or later. 2. If developers cannot upgrade their application, see workarounds below. Summary The organization plugin's acceptInvitation endpoint trusts an email-string equality check as proof that the session user owns the invited address. With Better Auth's stock emailAndPassword: { enabled: true } configuration, requireEmailVerification defaults to false, so an attacker can sign up a row keyed to victim@target.example (auto-signed-in, emailVerified: false) before the legitimate owner. When an organization admin invites that address, the attacker presents the invitationId and accepts the invitation, joining the organization at the invited role. Details The recipient gate compares invitation.email.toLowerCase() to session.user.email.toLowerCa

⚡ Watch CVE-2026-53514

Get an email if CVE-2026-53514 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53514

CVE.org record

Embed the live status

CVE-2026-53514 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53514 status](https://www.csirts.com/badge/CVE-2026-53514)](https://www.csirts.com/cve/CVE-2026-53514)