Summary
Am I affected?
You are affected if all of the following are true:
- You use
better-authat a version>= 1.6.0, < 1.6.11. - The
deviceAuthorizationplugin is enabled in your auth config (deviceAuthorization()in yourpluginsarray). - A third party can observe a pending user code before the legitimate user completes verification.
The standard device-flow UX displays user codes to humans, so realistic exposure includes shoulder-surfing, screen-share, voice or video calls, support-chat transcripts, referrer headers, and shared logs.
If your application does not enable the deviceAuthorization plugin, you are not affected.
Fix:
- Upgrade to
[email protected]or later. - If you cannot upgrade, see workarounds below.
Better Auth's deviceAuthorization plugin treated any authenticated session as the owner of any pending device code. The ownership gate on POST /device/approve and POST /device/deny short-circuited whenever the row's userId was unset, and the GET /device verification handler did not claim the row. An authenticated attacker who learned a valid user_code before the legitimate user completed approval could bind the polling device to the attacker's account or deny the legitimate flow.
Details
The device authorization flow binds the polling device to the user who entered the user code on the verification page. In affected versions, the plugin only created that binding at approve or deny time, with no claim at the verification step. The ownership check at approve and deny short-circuited when the owner was missing, accepting any authenticated caller instead of rejecting the request.
The fix changes GET /device to claim the pending row for the calling session. The approve and deny gates now require strict equality between the row's owner and the calling session. RFC 8628 §5.5 covers this risk class as Session Spying: a malicious party can hijack a session by completing authorization before the legitimate initiating user does.
Workarounds
If you cannot upgrade immediately:
- Disable the plugin if you do not use the device flow: remove
deviceAuthorization()from yourpluginsarray. - Add a
beforehook onPOST /device/approveandPOST /device/denythat tracks which session calledGET /devicefor each user code, and rejects calls from a different session. - Shorten the pending lifetime of device codes via the
expiresInplugin option to reduce the exploitation window.
Credit
Reported by Quikturn Security Team.
References
Impact
- Account takeover on the polling device: the attacker's session becomes the device's session, so the device operates as the attacker.
- Denial of the legitimate sign-in: the attacker can mark the code as denied, blocking the victim's flow.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
CVE-2026-45337 has a CVSS score of 7.6 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.6.11); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Fixed in [email protected]. After the patch, GET /device claims the pending row for the calling session, and POST /device/approve and POST /device/deny reject calls whose session does not match the claimed owner. Custom verification pages must serve GET /device to an authenticated session for the flow to succeed.
Frequently Asked Questions
- What is CVE-2026-45337? CVE-2026-45337 is a high-severity incorrect authorization vulnerability in better-auth (npm), affecting versions >= 1.6.0, < 1.6.11. It is fixed in 1.6.11. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- How severe is CVE-2026-45337? CVE-2026-45337 has a CVSS score of 7.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of better-auth are affected by CVE-2026-45337? better-auth (npm) versions >= 1.6.0, < 1.6.11 is affected.
- Is there a fix for CVE-2026-45337? Yes. CVE-2026-45337 is fixed in 1.6.11. Upgrade to this version or later.
- Is CVE-2026-45337 exploitable, and should I be worried? Whether CVE-2026-45337 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-45337 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-45337? Upgrade
better-authto 1.6.11 or later.