updateMemberRole can be used to update the role of a member belonging to any organization #1679

Closed
opened 2026-03-13 08:55:26 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @max-om on GitHub (Aug 11, 2025).

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

Hi,

Call updateMemberRole with a memberId belonging to a different organization.

Current vs. Expected behavior

There seems to be a bug with the implementation of updateMemberRole in crud-members where after looking up a member with id, a check is not being done to see if the member actually belongs to the organization provided in the request or the session.

This leads to the situation where provided a member id is known, any logged in user can update the role of any member (even from other organizations).

What version of Better Auth are you using?

1.3.4

System info

MacOS, Chrome

Which area(s) are affected? (Select all that apply)

Package

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

I have raise a PR for a potential patch: https://github.com/better-auth/better-auth/pull/3932

Originally created by @max-om on GitHub (Aug 11, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Hi, Call updateMemberRole with a memberId belonging to a different organization. ### Current vs. Expected behavior There seems to be a bug with the implementation of updateMemberRole in crud-members where after looking up a member with id, a check is not being done to see if the member actually belongs to the organization provided in the request or the session. This leads to the situation where provided a member id is known, any logged in user can update the role of any member (even from other organizations). ### What version of Better Auth are you using? 1.3.4 ### System info ```bash MacOS, Chrome ``` ### Which area(s) are affected? (Select all that apply) Package ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context I have raise a PR for a potential patch: https://github.com/better-auth/better-auth/pull/3932
GiteaMirror added the security label 2026-03-13 08:55:26 -05:00
Author
Owner

@dosubot[bot] commented on GitHub (Aug 11, 2025):

You are correct—there is a security vulnerability in updateMemberRole: it does not check if the member being updated actually belongs to the organization specified in the request or session. This means that if someone knows a valid memberId, they can update the role of any member, even across organizations, which is a significant risk see code.

No merged PRs or documentation currently address this specific bug as of August 2025, and your referenced PR (#3932) could not be found or reviewed. To mitigate this, you should add a check in updateMemberRole to ensure the member being updated belongs to the organization in the request/session. For now, anyone on v1.3.4 or earlier should implement this check manually or monitor for an official patch.

If you need a code snippet for the recommended check, let me know!

To reply, just mention @dosu.


How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

@dosubot[bot] commented on GitHub (Aug 11, 2025): <!-- Answer --> You are correct—there is a security vulnerability in updateMemberRole: it does not check if the member being updated actually belongs to the organization specified in the request or session. This means that if someone knows a valid memberId, they can update the role of any member, even across organizations, which is a significant risk [see code](https://github.com/better-auth/better-auth/blob/f281c92b9940fe6e81e05c07d24b73f2c2f8bfdd/packages/better-auth/src/plugins/organization/routes/crud-members.ts). No merged PRs or documentation currently address this specific bug as of August 2025, and your referenced PR (#3932) could not be found or reviewed. To mitigate this, you should add a check in updateMemberRole to ensure the member being updated belongs to the organization in the request/session. For now, anyone on v1.3.4 or earlier should implement this check manually or monitor for an official patch. If you need a code snippet for the recommended check, let me know! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/ec68b13f-2344-4e42-af98-24b491a6f536?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/ec68b13f-2344-4e42-af98-24b491a6f536?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/ec68b13f-2344-4e42-af98-24b491a6f536?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/ec68b13f-2344-4e42-af98-24b491a6f536?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/ec68b13f-2344-4e42-af98-24b491a6f536?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/ec68b13f-2344-4e42-af98-24b491a6f536?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/ec68b13f-2344-4e42-af98-24b491a6f536?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3933)
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#1679