Lucene search
K

11 matches found

NVD
NVD
added yesterday5 views

CVE-2026-53514

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation,...

7.7CVSS0.00016EPSS
Exploits0References4
CVE
CVE
added yesterday10 views

CVE-2026-53514

Better Auth (organization plugin) exposes a vulnerability where an attacker with an unverified session for the invited email and a leaked invitationId can join the organization by calling acceptInvitation/rejectInvitation/getInvitation/listUserInvitations, due to email-string ownership checks not...

7.7CVSS6.1AI score0.00016EPSS
Exploits0References4
CVE
CVE
added yesterday5 views

CVE-2026-53515

CVE-2026-53515 : The Better Auth library, specifically the @better-auth/sso plugin, contains a privilege escalation in versions 1.2.10 through 1.6.11. The POST /sso/register endpoint incorrectly allows any organization member to attach a new SSO provider because registerSSOProvider checks only fo...

7.1CVSS6.1AI score0.00028EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/07/07 8:11 p.m.6 views

NPM: Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins

NPM: Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins vulnerability discovered by ? in WordPress Npm better-auth versions 1.6.11...

9.1CVSS5.9AI score0.00013EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/05/28 9:34 p.m.13 views

EUVD-2026-33073

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for or the configured IP-bearing header. IPv6 clients controlling a typical /6...

7.3CVSS5.8AI score0.00295EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/05/15 5:41 p.m.13 views

NPM: Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation

NPM: Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation vulnerability discovered by ? in WordPress Npm better-auth versions 1.4.17...

7.3CVSS5.8AI score0.00295EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/05/15 5:41 p.m.7 views

GHSA-P6V2-XCPG-H6XW Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation

Am I affected? Users are affected if all of the following are true: - Their app uses better-auth at a version 1.4.17, or at a v1.5 prerelease tagged = 1.5.0-beta.8. - The apps authentication endpoints serve clients reachable over IPv6. Most managed hosts including Cloudflare, Vercel, Fly.io, AWS...

7.3CVSS5.8AI score0.00295EPSS
Exploits0References7
OSV
OSV
added 2026/05/15 5:33 p.m.4 views

GHSA-WXW3-Q3M9-C3JR Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE

Am I affected? Users are affected if all of the following are true: - The application uses better-auth at a version below 1.6.2 or @better-auth/sso paired with such a version. - betterAuth account: storeStateStrategy is set to "cookie". The default "database" is not affected. - The application...

5.3CVSS6AI score
Exploits0References5
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.13 views

Better Auth 安全漏洞

Better Auth is an open-source TypeScript framework for authentication. Versions of Better Auth prior to 1.6.5 contained a security vulnerability. This vulnerability stemmed from the clientPrivileges option recording creation operations. However, the OAuth client did not call the hook before...

7.1CVSS5.8AI score0.00212EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2025/11/26 10:11 p.m.8 views

@alstar/studio (=0.0.0-beta.20), @better-auth/cli (>=1.3.4 <=1.4.0-beta.28) +16 more potentially affected by unknown CVE via better-auth (>=1.3.34 <=1.4.0-beta.9)

better-auth NPM version =1.3.34, =1.3.4, =0.18.9, =0.5.2, =7.0.9-canary.2, =7.0.9-canary.2, =0.1.8, =0.1.0, =0.0.22, =0.10.0, =0.11.1-canary.15, =0.8.2, =0.0.10, =1.0.0, =1.0.4, =3.0.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-WMJR-V86C-M9JJ...

5.5AI score
Exploits0
Github Security Blog
Github Security Blog
added 2025/11/25 9:42 p.m.9 views

Better Auth Passkey Plugin allows passkey deletion through IDOR

Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey. Details ctx.body.id is implicitly trusted and used in passkey deletion queries. better-auth applications configured with...

6.9AI score
Exploits0References3Affected Software1
Rows per page
Query Builder