GHSA-j8v8-g9cx-5qf4: @better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers
The @better-auth/scim plugin versions from 1.5.0 onward have a vulnerability affecting non-organization (personal) SCIM providers when the providerOwnership option is not enabled. This allows any authenticated user in a multi-user deployment to manage another user's non-org SCIM provider, including reading metadata, listing connections, regenerating SCIM bearer tokens, and deleting connections. Regenerating a token invalidates the legitimate user's token and grants the attacker a valid token, enabling account/provider takeover. Organization-scoped providers are not affected due to enforced membership and role checks. The issue is fixed in version 1.7.0-beta.4 and later, which makes owner binding mandatory and removes the providerOwnership option. The 1.6.x stable line remains unpatched.
AI Analysis
Technical Summary
@better-auth/scim plugin does not bind non-organization SCIM providers to their creator by default, allowing any authenticated user to access and manage another user's non-org provider. The access control check only denies access if a stored owner ID exists and differs from the caller, but since the default is no owner ID, access is granted. This flaw enables attackers to regenerate SCIM bearer tokens for another user's provider, invalidating the legitimate token and gaining unauthorized access. The vulnerability affects all stable releases from 1.5.0 onward and pre-release builds through 1.7.0-beta.3. The fix in 1.7.0-beta.4 enforces mandatory owner binding and requires a schema migration. The 1.6.x stable line is not patched. Workarounds include enabling providerOwnership: { enabled: true } and running the schema migration.
Potential Impact
An attacker with any authenticated user account on a deployment using the vulnerable @better-auth/scim plugin can take over another user's non-organization SCIM provider by regenerating its SCIM bearer token. This results in the legitimate user's token being invalidated and the attacker gaining full management access to the provider, including reading metadata, listing connections, and deleting the provider. This compromises confidentiality and integrity of the SCIM provider's data and access. The vulnerability does not require organization membership or elevated roles and affects multi-user deployments using non-org providers without owner binding enabled.
Mitigation Recommendations
Upgrade to @better-auth/scim version 1.7.0-beta.4 or later (including 1.7.0), which enforces mandatory owner binding and removes the providerOwnership option. After upgrading, run the schema migration using 'npx auth migrate' to add the permanent scimProvider.userId column. For connections created before the upgrade that lack an owner, manually reclaim them by deleting or assigning ownership at the database level and regenerating tokens. If upgrading is not immediately possible, enable providerOwnership: { enabled: true } when registering the plugin and run the schema migration as a temporary workaround. Note that the 1.6.x stable line is not patched.
GHSA-j8v8-g9cx-5qf4: @better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers
Description
The @better-auth/scim plugin versions from 1.5.0 onward have a vulnerability affecting non-organization (personal) SCIM providers when the providerOwnership option is not enabled. This allows any authenticated user in a multi-user deployment to manage another user's non-org SCIM provider, including reading metadata, listing connections, regenerating SCIM bearer tokens, and deleting connections. Regenerating a token invalidates the legitimate user's token and grants the attacker a valid token, enabling account/provider takeover. Organization-scoped providers are not affected due to enforced membership and role checks. The issue is fixed in version 1.7.0-beta.4 and later, which makes owner binding mandatory and removes the providerOwnership option. The 1.6.x stable line remains unpatched.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
@better-auth/scim plugin does not bind non-organization SCIM providers to their creator by default, allowing any authenticated user to access and manage another user's non-org provider. The access control check only denies access if a stored owner ID exists and differs from the caller, but since the default is no owner ID, access is granted. This flaw enables attackers to regenerate SCIM bearer tokens for another user's provider, invalidating the legitimate token and gaining unauthorized access. The vulnerability affects all stable releases from 1.5.0 onward and pre-release builds through 1.7.0-beta.3. The fix in 1.7.0-beta.4 enforces mandatory owner binding and requires a schema migration. The 1.6.x stable line is not patched. Workarounds include enabling providerOwnership: { enabled: true } and running the schema migration.
Potential Impact
An attacker with any authenticated user account on a deployment using the vulnerable @better-auth/scim plugin can take over another user's non-organization SCIM provider by regenerating its SCIM bearer token. This results in the legitimate user's token being invalidated and the attacker gaining full management access to the provider, including reading metadata, listing connections, and deleting the provider. This compromises confidentiality and integrity of the SCIM provider's data and access. The vulnerability does not require organization membership or elevated roles and affects multi-user deployments using non-org providers without owner binding enabled.
Mitigation Recommendations
Upgrade to @better-auth/scim version 1.7.0-beta.4 or later (including 1.7.0), which enforces mandatory owner binding and removes the providerOwnership option. After upgrading, run the schema migration using 'npx auth migrate' to add the permanent scimProvider.userId column. For connections created before the upgrade that lack an owner, manually reclaim them by deleting or assigning ownership at the database level and regenerating tokens. If upgrading is not immediately possible, enable providerOwnership: { enabled: true } when registering the plugin and run the schema migration as a temporary workaround. Note that the 1.6.x stable line is not patched.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-j8v8-g9cx-5qf4
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a4e4ef7c9d9e3dbe328cbf2
Added to database: 07/08/2026, 13:21:59 UTC
Last enriched: 07/08/2026, 13:44:02 UTC
Last updated: 07/09/2026, 01:33:09 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.