Authentication and Authorization Vulnerability in Better Auth Library by Better Auth
CVE-2026-45337
7.6HIGH
What is CVE-2026-45337?
The Better Auth library, a popular authentication and authorization tool for TypeScript, has a significant vulnerability affecting versions from 1.6.0 to 1.6.10. This issue arises from how the deviceAuthorization plugin manages authenticated sessions. Specifically, it does not adequately control access, allowing authenticated attackers who discover a valid user_code to hijack the device polling process. This can lead to unauthorized binding of the device to the attacker's account or denial of services to legitimate users. The vulnerability has been addressed in version 1.6.11, highlighting the critical importance of updating to mitigate such risks.
Affected Version(s)
better-auth >= 1.6.0, < 1.6.11
