Back to overview

CVE-2026-45337

HIGH
7.6
CVSS 3.1
Description
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny short-circuit when userId is unset, allowing an authenticated attacker who learns a valid user_code to bind the polling device to the attacker's account or deny the legitimate flow. This issue is fixed in version 1.6.11.

Metadata

CVE ID
CVE-2026-45337
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-11 21:40 UTC
Published
2026-07-15 17:31 UTC
Last updated
2026-07-15 18:02 UTC
Primary CWE
CWE-285
CWE-285: Improper Authorization
Vendor / Product
better-auth / better-auth
Sources
cve.org  ·  NVD

Severity & Metrics

7.6 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
better-auth better-auth >= 1.6.0, < 1.6.11
Weakness (CWE)
CWESourceDescription
CWE-285 cna CWE-285: Improper Authorization
CWE-345 cna CWE-345: Insufficient Verification of Data Authenticity
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.6 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
References (4)
Back to overview