Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

better-auth — Vulnerabilities & Security Advisories 15

Browse all 15 CVE security advisories affecting better-auth. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Better-auth is an authentication and authorization library designed to secure web applications with customizable authentication flows. Historically, it has been susceptible to remote code execution (RCE), cross-site scripting (XSS), and privilege escalation vulnerabilities, primarily due to improper input validation and misconfigurations. The library's security posture has been impacted by five disclosed CVEs, highlighting risks in session management and OAuth implementations. While better-auth offers flexible security features, its complex configuration options have led to misdeployments in production environments. Users must carefully implement security controls to mitigate potential exploitation paths, particularly in multi-tenant deployments where isolation between user contexts is critical.

Top products by better-auth: better-auth better-icons
CVE IDTitleCVSSSeverityPublished
CVE-2026-53517 Better Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay and Token Family Forking — better-authCWE-362 8.1 High2026-07-15
CVE-2026-45337 Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending — better-authCWE-285 7.6 High2026-07-15
CVE-2026-53514 Better Auth: Unauthorized invitation acceptance via unverified email match in organization plugin — better-authCWE-287 7.7 High2026-07-15
CVE-2026-53515 Better Auth: Privilege escalation via SSO provider registration: missing admin role check in @better-auth/sso — better-authCWE-269 7.1 High2026-07-15
CVE-2026-53512 Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins — better-authCWE-287--2026-07-15
CVE-2026-53518 Better Auth OAuth Provider: Race Condition in Authorization Code Exchange Enables Multi-Use Code Redemption — better-authCWE-362--2026-07-15
CVE-2026-53513 Better Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/sso provider registration — better-authCWE-20 9.6 Critical2026-07-15
CVE-2026-53516 Better Auth: Account takeover via OAuth auto-link to unverified pre-registered email — better-authCWE-287 8.3 High2026-07-15
CVE-2026-15527 better-auth better-icons scan_project_icons/sync_icon path traversal — better-iconsCWE-22 5.3 Medium2026-07-13
CVE-2026-45364 Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation — better-authCWE-307 7.3 High2026-05-28
CVE-2026-41427 Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients — better-authCWE-863 4.3AIMediumAI2026-04-24
CVE-2025-61928 Better Auth: Unauthenticated API key creation through api-key plugin — better-authCWE-285 7.5AIHighAI2025-10-09
CVE-2025-53535 Better Auth has an Open Redirect Vulnerability in originCheck Middleware Affecting Multiple Routes — better-authCWE-601 6.1AIMediumAI2025-07-07
CVE-2025-27143 Beter Auth has an Open Redirect via Scheme-Less Callback Parameter — better-authCWE-601 6.1 -2025-02-24
CVE-2024-56734 Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint — better-authCWE-601 6.1 -2024-12-30

This page lists every published CVE security advisory associated with better-auth. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.