11 matches found
CVE-2026-53514
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation,...
CVE-2026-53514
Better Auth (organization plugin) exposes a vulnerability where an attacker with an unverified session for the invited email and a leaked invitationId can join the organization by calling acceptInvitation/rejectInvitation/getInvitation/listUserInvitations, due to email-string ownership checks not...
CVE-2026-53515
CVE-2026-53515 : The Better Auth library, specifically the @better-auth/sso plugin, contains a privilege escalation in versions 1.2.10 through 1.6.11. The POST /sso/register endpoint incorrectly allows any organization member to attach a new SSO provider because registerSSOProvider checks only fo...
NPM: Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
NPM: Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins vulnerability discovered by ? in WordPress Npm better-auth versions 1.6.11...
EUVD-2026-33073
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for or the configured IP-bearing header. IPv6 clients controlling a typical /6...
NPM: Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
NPM: Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation vulnerability discovered by ? in WordPress Npm better-auth versions 1.4.17...
GHSA-P6V2-XCPG-H6XW Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
Am I affected? Users are affected if all of the following are true: - Their app uses better-auth at a version 1.4.17, or at a v1.5 prerelease tagged = 1.5.0-beta.8. - The apps authentication endpoints serve clients reachable over IPv6. Most managed hosts including Cloudflare, Vercel, Fly.io, AWS...
GHSA-WXW3-Q3M9-C3JR Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE
Am I affected? Users are affected if all of the following are true: - The application uses better-auth at a version below 1.6.2 or @better-auth/sso paired with such a version. - betterAuth account: storeStateStrategy is set to "cookie". The default "database" is not affected. - The application...
Better Auth 安全漏洞
Better Auth is an open-source TypeScript framework for authentication. Versions of Better Auth prior to 1.6.5 contained a security vulnerability. This vulnerability stemmed from the clientPrivileges option recording creation operations. However, the OAuth client did not call the hook before...
@alstar/studio (=0.0.0-beta.20), @better-auth/cli (>=1.3.4 <=1.4.0-beta.28) +16 more potentially affected by unknown CVE via better-auth (>=1.3.34 <=1.4.0-beta.9)
better-auth NPM version =1.3.34, =1.3.4, =0.18.9, =0.5.2, =7.0.9-canary.2, =7.0.9-canary.2, =0.1.8, =0.1.0, =0.0.22, =0.10.0, =0.11.1-canary.15, =0.8.2, =0.0.10, =1.0.0, =1.0.4, =3.0.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-WMJR-V86C-M9JJ...
Better Auth Passkey Plugin allows passkey deletion through IDOR
Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey. Details ctx.body.id is implicitly trusted and used in passkey deletion queries. better-auth applications configured with...