{"id":"CVE-2026-45337","summary":"Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending","details":"Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny short-circuit when userId is unset, allowing an authenticated attacker who learns a valid user_code to bind the polling device to the attacker's account or deny the legitimate flow. This issue is fixed in version 1.6.11.","aliases":["GHSA-cq3f-vc6p-68fh"],"modified":"2026-07-17T03:46:33.506852238Z","published":"2026-07-15T17:31:44.983Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-285","CWE-345"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45337.json"},"references":[{"type":"WEB","url":"https://github.com/better-auth/better-auth/releases/tag/v1.6.11"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45337.json"},{"type":"ADVISORY","url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-cq3f-vc6p-68fh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45337"},{"type":"FIX","url":"https://github.com/better-auth/better-auth/commit/99a254a79b59d5a3f5ca2123260118cddb5beed7"},{"type":"FIX","url":"https://github.com/better-auth/better-auth/pull/9573"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/better-auth/better-auth","events":[{"introduced":"0e3f188020fa785d44d0019a3a3c8407a4cc8d5f"},{"fixed":"99a254a79b59d5a3f5ca2123260118cddb5beed7"},{"fixed":"f41514ef07cfafc5dbf463bd1500aee6575d88a7"}],"database_specific":{"extracted_events":[{"introduced":"1.6.0"},{"fixed":"1.6.11"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v1.6.10","better-auth@1.6.10","auth@1.6.10","@better-auth/test-utils@1.6.10","@better-auth/telemetry@1.6.10","@better-auth/stripe@1.6.10","@better-auth/sso@1.6.10","@better-auth/scim@1.6.10","@better-auth/redis-storage@1.6.10","@better-auth/prisma-adapter@1.6.10","@better-auth/passkey@1.6.10","@better-auth/oauth-provider@1.6.10","@better-auth/mongo-adapter@1.6.10","@better-auth/memory-adapter@1.6.10","@better-auth/kysely-adapter@1.6.10","@better-auth/i18n@1.6.10","@better-auth/expo@1.6.10","@better-auth/electron@1.6.10","@better-auth/drizzle-adapter@1.6.10","@better-auth/core@1.6.10","@better-auth/api-key@1.6.10","v1.6.9","better-auth@1.6.9","auth@1.6.9","@better-auth/test-utils@1.6.9","@better-auth/telemetry@1.6.9","@better-auth/stripe@1.6.9","@better-auth/sso@1.6.9","@better-auth/scim@1.6.9","@better-auth/redis-storage@1.6.9","@better-auth/prisma-adapter@1.6.9","@better-auth/passkey@1.6.9","@better-auth/oauth-provider@1.6.9","@better-auth/mongo-adapter@1.6.9","@better-auth/memory-adapter@1.6.9","@better-auth/kysely-adapter@1.6.9","@better-auth/i18n@1.6.9","@better-auth/expo@1.6.9","@better-auth/electron@1.6.9","@better-auth/drizzle-adapter@1.6.9","@better-auth/core@1.6.9","@better-auth/api-key@1.6.9","v1.6.8","better-auth@1.6.8","auth@1.6.8","@better-auth/test-utils@1.6.8","@better-auth/telemetry@1.6.8","@better-auth/stripe@1.6.8","@better-auth/sso@1.6.8","@better-auth/scim@1.6.8","@better-auth/redis-storage@1.6.8","@better-auth/prisma-adapter@1.6.8","@better-auth/passkey@1.6.8","@better-auth/oauth-provider@1.6.8","@better-auth/mongo-adapter@1.6.8","@better-auth/memory-adapter@1.6.8","@better-auth/kysely-adapter@1.6.8","@better-auth/i18n@1.6.8","@better-auth/expo@1.6.8","@better-auth/electron@1.6.8","@better-auth/drizzle-adapter@1.6.8","@better-auth/core@1.6.8","@better-auth/api-key@1.6.8","v1.6.7","better-auth@1.6.7","auth@1.6.7","@better-auth/test-utils@1.6.7","@better-auth/telemetry@1.6.7","@better-auth/stripe@1.6.7","@better-auth/sso@1.6.7","@better-auth/scim@1.6.7","@better-auth/redis-storage@1.6.7","@better-auth/prisma-adapter@1.6.7","@better-auth/passkey@1.6.7","@better-auth/oauth-provider@1.6.7","@better-auth/mongo-adapter@1.6.7","@better-auth/memory-adapter@1.6.7","@better-auth/kysely-adapter@1.6.7","@better-auth/i18n@1.6.7","@better-auth/expo@1.6.7","@better-auth/electron@1.6.7","@better-auth/drizzle-adapter@1.6.7","@better-auth/core@1.6.7","@better-auth/api-key@1.6.7","v1.6.6","better-auth@1.6.6","auth@1.6.6","@better-auth/test-utils@1.6.6","@better-auth/telemetry@1.6.6","@better-auth/stripe@1.6.6","@better-auth/sso@1.6.6","@better-auth/scim@1.6.6","@better-auth/redis-storage@1.6.6","@better-auth/prisma-adapter@1.6.6","@better-auth/passkey@1.6.6","@better-auth/oauth-provider@1.6.6","@better-auth/mongo-adapter@1.6.6","@better-auth/memory-adapter@1.6.6","@better-auth/kysely-adapter@1.6.6","@better-auth/i18n@1.6.6","@better-auth/expo@1.6.6","@better-auth/electron@1.6.6","@better-auth/drizzle-adapter@1.6.6","@better-auth/core@1.6.6","@better-auth/api-key@1.6.6","v1.6.5","better-auth@1.6.5","auth@1.6.5","@better-auth/test-utils@1.6.5","@better-auth/telemetry@1.6.5","@better-auth/stripe@1.6.5","@better-auth/sso@1.6.5","@better-auth/scim@1.6.5","@better-auth/redis-storage@1.6.5","@better-auth/prisma-adapter@1.6.5","@better-auth/passkey@1.6.5","@better-auth/oauth-provider@1.6.5","@better-auth/mongo-adapter@1.6.5","@better-auth/memory-adapter@1.6.5","@better-auth/kysely-adapter@1.6.5","@better-auth/i18n@1.6.5","@better-auth/expo@1.6.5","@better-auth/electron@1.6.5","@better-auth/drizzle-adapter@1.6.5","@better-auth/core@1.6.5","@better-auth/api-key@1.6.5","v1.6.4","better-auth@1.6.4","auth@1.6.4","@better-auth/test-utils@1.6.4","@better-auth/telemetry@1.6.4","@better-auth/stripe@1.6.4","@better-auth/sso@1.6.4","@better-auth/scim@1.6.4","@better-auth/redis-storage@1.6.4","@better-auth/prisma-adapter@1.6.4","@better-auth/passkey@1.6.4","@better-auth/oauth-provider@1.6.4","@better-auth/mongo-adapter@1.6.4","@better-auth/memory-adapter@1.6.4","@better-auth/kysely-adapter@1.6.4","@better-auth/i18n@1.6.4","@better-auth/expo@1.6.4","@better-auth/electron@1.6.4","@better-auth/drizzle-adapter@1.6.4","@better-auth/core@1.6.4","@better-auth/api-key@1.6.4","v1.6.3","better-auth@1.6.3","auth@1.6.3","@better-auth/test-utils@1.6.3","@better-auth/telemetry@1.6.3","@better-auth/stripe@1.6.3","@better-auth/sso@1.6.3","@better-auth/scim@1.6.3","@better-auth/redis-storage@1.6.3","@better-auth/prisma-adapter@1.6.3","@better-auth/passkey@1.6.3","@better-auth/oauth-provider@1.6.3","@better-auth/mongo-adapter@1.6.3","@better-auth/memory-adapter@1.6.3","@better-auth/kysely-adapter@1.6.3","@better-auth/i18n@1.6.3","@better-auth/expo@1.6.3","@better-auth/electron@1.6.3","@better-auth/drizzle-adapter@1.6.3","@better-auth/core@1.6.3","@better-auth/api-key@1.6.3","v1.6.2","better-auth@1.6.2","auth@1.6.2","@better-auth/test-utils@1.6.2","@better-auth/telemetry@1.6.2","@better-auth/stripe@1.6.2","@better-auth/sso@1.6.2","@better-auth/scim@1.6.2","@better-auth/redis-storage@1.6.2","@better-auth/prisma-adapter@1.6.2","@better-auth/passkey@1.6.2","@better-auth/oauth-provider@1.6.2","@better-auth/mongo-adapter@1.6.2","@better-auth/memory-adapter@1.6.2","@better-auth/kysely-adapter@1.6.2","@better-auth/i18n@1.6.2","@better-auth/expo@1.6.2","@better-auth/electron@1.6.2","@better-auth/drizzle-adapter@1.6.2","@better-auth/core@1.6.2","@better-auth/api-key@1.6.2","v1.6.1","better-auth@1.6.1","auth@1.6.1","@better-auth/test-utils@1.6.1","@better-auth/telemetry@1.6.1","@better-auth/stripe@1.6.1","@better-auth/sso@1.6.1","@better-auth/scim@1.6.1","@better-auth/redis-storage@1.6.1","@better-auth/prisma-adapter@1.6.1","@better-auth/passkey@1.6.1","@better-auth/oauth-provider@1.6.1","@better-auth/mongo-adapter@1.6.1","@better-auth/memory-adapter@1.6.1","@better-auth/kysely-adapter@1.6.1","@better-auth/i18n@1.6.1","@better-auth/expo@1.6.1","@better-auth/electron@1.6.1","@better-auth/drizzle-adapter@1.6.1","@better-auth/core@1.6.1","@better-auth/api-key@1.6.1","v1.6.0","better-auth@1.6.0","auth@1.6.0","@better-auth/test-utils@1.6.0","@better-auth/telemetry@1.6.0","@better-auth/stripe@1.6.0","@better-auth/sso@1.6.0","@better-auth/scim@1.6.0","@better-auth/redis-storage@1.6.0","@better-auth/prisma-adapter@1.6.0","@better-auth/passkey@1.6.0","@better-auth/oauth-provider@1.6.0","@better-auth/mongo-adapter@1.6.0","@better-auth/memory-adapter@1.6.0","@better-auth/kysely-adapter@1.6.0","@better-auth/i18n@1.6.0","@better-auth/expo@1.6.0","@better-auth/electron@1.6.0","@better-auth/drizzle-adapter@1.6.0","@better-auth/core@1.6.0","@better-auth/api-key@1.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45337.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L"}]}