GHSA-CQ3F-VC6P-68FH
Vulnerability from github – Published: 2026-06-04 14:55 – Updated: 2026-06-09 11:58Am I affected?
You are affected if all of the following are true:
- You use
better-authat a version>= 1.6.0, < 1.6.11. - The
deviceAuthorizationplugin is enabled in your auth config (deviceAuthorization()in yourpluginsarray). - A third party can observe a pending user code before the legitimate user completes verification.
The standard device-flow UX displays user codes to humans, so realistic exposure includes shoulder-surfing, screen-share, voice or video calls, support-chat transcripts, referrer headers, and shared logs.
If your application does not enable the deviceAuthorization plugin, you are not affected.
Fix:
- Upgrade to
better-auth@1.6.11or later. - If you cannot upgrade, see workarounds below.
Summary
Better Auth's deviceAuthorization plugin treated any authenticated session as the owner of any pending device code. The ownership gate on POST /device/approve and POST /device/deny short-circuited whenever the row's userId was unset, and the GET /device verification handler did not claim the row. An authenticated attacker who learned a valid user_code before the legitimate user completed approval could bind the polling device to the attacker's account or deny the legitimate flow.
Details
The device authorization flow binds the polling device to the user who entered the user code on the verification page. In affected versions, the plugin only created that binding at approve or deny time, with no claim at the verification step. The ownership check at approve and deny short-circuited when the owner was missing, accepting any authenticated caller instead of rejecting the request.
The fix changes GET /device to claim the pending row for the calling session. The approve and deny gates now require strict equality between the row's owner and the calling session. RFC 8628 §5.5 covers this risk class as Session Spying: a malicious party can hijack a session by completing authorization before the legitimate initiating user does.
Patches
Fixed in better-auth@1.6.11. After the patch, GET /device claims the pending row for the calling session, and POST /device/approve and POST /device/deny reject calls whose session does not match the claimed owner. Custom verification pages must serve GET /device to an authenticated session for the flow to succeed.
Workarounds
If you cannot upgrade immediately:
- Disable the plugin if you do not use the device flow: remove
deviceAuthorization()from yourpluginsarray. - Add a
beforehook onPOST /device/approveandPOST /device/denythat tracks which session calledGET /devicefor each user code, and rejects calls from a different session. - Shorten the pending lifetime of device codes via the
expiresInplugin option to reduce the exploitation window.
Impact
- Account takeover on the polling device: the attacker's session becomes the device's session, so the device operates as the attacker.
- Denial of the legitimate sign-in: the attacker can mark the code as denied, blocking the victim's flow.
Credit
Reported by Quikturn Security Team.
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "better-auth"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.6.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45337"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-345",
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T14:55:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Am I affected?\n\nYou are affected if all of the following are true:\n\n- You use `better-auth` at a version `\u003e= 1.6.0, \u003c 1.6.11`.\n- The `deviceAuthorization` plugin is enabled in your auth config (`deviceAuthorization()` in your `plugins` array).\n- A third party can observe a pending user code before the legitimate user completes verification.\n\nThe standard device-flow UX displays user codes to humans, so realistic exposure includes shoulder-surfing, screen-share, voice or video calls, support-chat transcripts, referrer headers, and shared logs.\n\nIf your application does not enable the `deviceAuthorization` plugin, you are not affected.\n\nFix:\n\n1. Upgrade to `better-auth@1.6.11` or later.\n2. If you cannot upgrade, see workarounds below.\n\n### Summary\n\nBetter Auth\u0027s `deviceAuthorization` plugin treated any authenticated session as the owner of any pending device code. The ownership gate on `POST /device/approve` and `POST /device/deny` short-circuited whenever the row\u0027s `userId` was unset, and the `GET /device` verification handler did not claim the row. An authenticated attacker who learned a valid `user_code` before the legitimate user completed approval could bind the polling device to the attacker\u0027s account or deny the legitimate flow.\n\n### Details\n\nThe device authorization flow binds the polling device to the user who entered the user code on the verification page. In affected versions, the plugin only created that binding at approve or deny time, with no claim at the verification step. The ownership check at approve and deny short-circuited when the owner was missing, accepting any authenticated caller instead of rejecting the request.\n\nThe fix changes `GET /device` to claim the pending row for the calling session. The approve and deny gates now require strict equality between the row\u0027s owner and the calling session. RFC 8628 \u00a75.5 covers this risk class as Session Spying: a malicious party can hijack a session by completing authorization before the legitimate initiating user does.\n\n### Patches\n\nFixed in `better-auth@1.6.11`. After the patch, `GET /device` claims the pending row for the calling session, and `POST /device/approve` and `POST /device/deny` reject calls whose session does not match the claimed owner. Custom verification pages must serve `GET /device` to an authenticated session for the flow to succeed.\n\n### Workarounds\n\nIf you cannot upgrade immediately:\n\n- **Disable the plugin** if you do not use the device flow: remove `deviceAuthorization()` from your `plugins` array.\n- **Add a `before` hook** on `POST /device/approve` and `POST /device/deny` that tracks which session called `GET /device` for each user code, and rejects calls from a different session.\n- **Shorten the pending lifetime of device codes** via the `expiresIn` plugin option to reduce the exploitation window.\n\n### Impact\n\n- **Account takeover on the polling device**: the attacker\u0027s session becomes the device\u0027s session, so the device operates as the attacker.\n- **Denial of the legitimate sign-in**: the attacker can mark the code as denied, blocking the victim\u0027s flow.\n\n### Credit\n\nReported by Quikturn Security Team.\n\n### References\n\n- [CWE-285: Improper Authorization](https://cwe.mitre.org/data/definitions/285.html)\n- [CWE-863: Incorrect Authorization](https://cwe.mitre.org/data/definitions/863.html)\n- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)\n- [RFC 8628 \u00a75.5: Session Spying](https://datatracker.ietf.org/doc/html/rfc8628#section-5.5)",
"id": "GHSA-cq3f-vc6p-68fh",
"modified": "2026-06-09T11:58:19Z",
"published": "2026-06-04T14:55:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-cq3f-vc6p-68fh"
},
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/pull/9573"
},
{
"type": "PACKAGE",
"url": "https://github.com/better-auth/better-auth"
},
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.