Browse all 5 CVE security advisories affecting better-auth. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Better-auth is an authentication and authorization library designed to secure web applications with customizable authentication flows. Historically, it has been susceptible to remote code execution (RCE), cross-site scripting (XSS), and privilege escalation vulnerabilities, primarily due to improper input validation and misconfigurations. The library's security posture has been impacted by five disclosed CVEs, highlighting risks in session management and OAuth implementations. While better-auth offers flexible security features, its complex configuration options have led to misdeployments in production environments. Users must carefully implement security controls to mitigate potential exploitation paths, particularly in multi-tenant deployments where isolation between user contexts is critical.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-41427 | Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients — better-authCWE-863 | 4.3AI | MediumAI | 2026-04-24 |
| CVE-2025-61928 | Better Auth: Unauthenticated API key creation through api-key plugin — better-authCWE-285 | 7.5AI | HighAI | 2025-10-09 |
| CVE-2025-53535 | Better Auth has an Open Redirect Vulnerability in originCheck Middleware Affecting Multiple Routes — better-authCWE-601 | 6.1AI | MediumAI | 2025-07-07 |
| CVE-2025-27143 | Beter Auth has an Open Redirect via Scheme-Less Callback Parameter — better-authCWE-601 | 6.1 | - | 2025-02-24 |
| CVE-2024-56734 | Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint — better-authCWE-601 | 6.1 | - | 2024-12-30 |
This page lists every published CVE security advisory associated with better-auth. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.