Authentication and Authorization Vulnerability in Better Auth Library by Better Auth
CVE-2026-45337

7.6HIGH

Key Information:

Vendor
CVE Published:
15 July 2026

What is CVE-2026-45337?

The Better Auth library, a popular authentication and authorization tool for TypeScript, has a significant vulnerability affecting versions from 1.6.0 to 1.6.10. This issue arises from how the deviceAuthorization plugin manages authenticated sessions. Specifically, it does not adequately control access, allowing authenticated attackers who discover a valid user_code to hijack the device polling process. This can lead to unauthorized binding of the device to the attacker's account or denial of services to legitimate users. The vulnerability has been addressed in version 1.6.11, highlighting the critical importance of updating to mitigate such risks.

Affected Version(s)

better-auth >= 1.6.0, < 1.6.11

References

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.