diff --git a/apps/web/src/lib/server/auth/index.ts b/apps/web/src/lib/server/auth/index.ts
index 88c3c2bc5..b85f04e3b 100644
--- a/apps/web/src/lib/server/auth/index.ts
+++ b/apps/web/src/lib/server/auth/index.ts
@@ -251,7 +251,9 @@ async function createAuth() {
         ...(creds.tokenUrl && { tokenUrl: creds.tokenUrl }),
         scopes: scopeStr.split(/\s+/).filter(Boolean),
       })
-      trustedProviders.push(provider.id)
+      // Do not trust arbitrary custom OIDC providers for automatic
+      // account linking. Built-in providers and dedicated workspace
+      // SSO are trusted separately.
     } else {
       // Built-in social providers
       const providerConfig: Record<string, string> = {