Skip to main content

Better Auth CVE-2026-45337

| EUVDEUVD-2026-44743 HIGH
Improper Authorization (CWE-285)
2026-06-04 https://github.com/better-auth/better-auth GHSA-cq3f-vc6p-68fh
7.6
CVSS 3.1 · Vendor: https://github.com/better-auth/better-auth
Share

Severity by source

Vendor (https://github.com/better-auth/better-auth) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Primary rating from Vendor (https://github.com/better-auth/better-auth) · only source for this CVE.

CVSS VectorVendor: https://github.com/better-auth/better-auth

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 04, 2026 - 15:21 vuln.today
Analysis Generated
Jun 04, 2026 - 15:21 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on better-auth (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.6.0.

DescriptionCVE.org

Am I affected?

You are affected if all of the following are true:

  • You use better-auth at a version >= 1.6.0, < 1.6.11.
  • The deviceAuthorization plugin is enabled in your auth config (deviceAuthorization() in your plugins array).
  • A third party can observe a pending user code before the legitimate user completes verification.

The standard device-flow UX displays user codes to humans, so realistic exposure includes shoulder-surfing, screen-share, voice or video calls, support-chat transcripts, referrer headers, and shared logs.

If your application does not enable the deviceAuthorization plugin, you are not affected.

Fix:

  1. Upgrade to better-auth@1.6.11 or later.
  2. If you cannot upgrade, see workarounds below.

Summary

Better Auth's deviceAuthorization plugin treated any authenticated session as the owner of any pending device code. The ownership gate on POST /device/approve and POST /device/deny short-circuited whenever the row's userId was unset, and the GET /device verification handler did not claim the row. An authenticated attacker who learned a valid user_code before the legitimate user completed approval could bind the polling device to the attacker's account or deny the legitimate flow.

Details

The device authorization flow binds the polling device to the user who entered the user code on the verification page. In affected versions, the plugin only created that binding at approve or deny time, with no claim at the verification step. The ownership check at approve and deny short-circuited when the owner was missing, accepting any authenticated caller instead of rejecting the request.

The fix changes GET /device to claim the pending row for the calling session. The approve and deny gates now require strict equality between the row's owner and the calling session. RFC 8628 §5.5 covers this risk class as Session Spying: a malicious party can hijack a session by completing authorization before the legitimate initiating user does.

Patches

Fixed in better-auth@1.6.11. After the patch, GET /device claims the pending row for the calling session, and POST /device/approve and POST /device/deny reject calls whose session does not match the claimed owner. Custom verification pages must serve GET /device to an authenticated session for the flow to succeed.

Workarounds

If you cannot upgrade immediately:

  • Disable the plugin if you do not use the device flow: remove deviceAuthorization() from your plugins array.
  • Add a before hook on POST /device/approve and POST /device/deny that tracks which session called GET /device for each user code, and rejects calls from a different session.
  • Shorten the pending lifetime of device codes via the expiresIn plugin option to reduce the exploitation window.

Impact

  • Account takeover on the polling device: the attacker's session becomes the device's session, so the device operates as the attacker.
  • Denial of the legitimate sign-in: the attacker can mark the code as denied, blocking the victim's flow.

Credit

Reported by Quikturn Security Team.

AnalysisAI

Account takeover in Better Auth's deviceAuthorization plugin (versions >= 1.6.0, < 1.6.11) allows an authenticated attacker who learns a pending user_code to bind a victim's polling device to the attacker's session or deny the legitimate sign-in. The flaw stems from a missing ownership claim at the verification step combined with a short-circuited owner check on approve/deny endpoints. No public exploit identified at time of analysis, but the patch PR and detailed advisory provide a clear roadmap for exploitation.

Technical ContextAI

Better Auth is a TypeScript authentication library distributed via npm (pkg:npm/better-auth). The deviceAuthorization plugin implements RFC 8628 (OAuth 2.0 Device Authorization Grant), where a user enters a short user_code on a verification page to bind a separate polling device to their account. The vulnerability is a CWE-285 (Improper Authorization) flaw: GET /device never claimed the pending device-code row for the calling session, and the ownership gate on POST /device/approve and POST /device/deny short-circuited whenever the row's userId was unset, accepting any authenticated caller. RFC 8628 §5.5 explicitly catalogs this as Session Spying.

RemediationAI

Vendor-released patch: better-auth 1.6.11 - upgrade the npm dependency to better-auth@1.6.11 or later, which makes GET /device claim the pending row for the calling session and enforces strict session-to-owner equality on POST /device/approve and POST /device/deny. If immediate upgrade is not possible and the device flow is unused, remove deviceAuthorization() from the plugins array to fully eliminate the attack surface. As a stopgap on vulnerable versions, add a before hook on POST /device/approve and POST /device/deny that records which session called GET /device for each user_code and rejects mismatched callers (side effect: custom verification pages must route through GET /device under an authenticated session, matching the post-patch contract). Additionally, shorten the deviceAuthorization expiresIn plugin option to compress the exploitation window (trade-off: legitimate users have less time to complete verification on slow devices). See the advisory at https://github.com/better-auth/better-auth/security/advisories/GHSA-cq3f-vc6p-68fh and patch PR https://github.com/better-auth/better-auth/pull/9573.

Share

CVE-2026-45337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy