EXECUTIVE SUMMARY:
CVE-2026-45337 with a CVSS score of 7.6 is a logic flaw in the npm/better-auth package (versions ≥ 1.6.0 and < 1.6.11) that affects the optional deviceAuthorization plugin; when enabled, the plugin treats any authenticated session as the owner of a pending device code because the ownership check on POST /device/approve and POST /device/deny bypasses when the row’s userId is unset, and the earlier GET /device handler fails to claim the row. An attacker who can observe a valid user_code — for example via shoulder‑surfing, screen‑share, support‑chat transcripts, referrer headers, or shared logs — and who already possesses a logged‑in session can invoke the approve or deny endpoints before the legitimate user completes verification, thereby hijacking the pending flow. This grants the attacker the ability to bind the polling device to their own account (effectively taking over the device) or to deny the code, blocking the legitimate sign‑in. The business impact includes unauthorized access to user accounts, potential data exposure, disruption of legitimate authentication flows, and erosion of user trust. Exploitation requires the deviceAuthorization plugin to be active, a visible pending user code, and an authenticated session the attacker can use.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45337 with a CVSS score of 7.6 is a logic flaw in the npm/better-auth package (versions ≥ 1.6.0 and < 1.6.11) that affects the optional deviceAuthorization plugin; when enabled, the plugin treats any authenticated session as the owner of a pending device code because the ownership check on POST /device/approve and POST /device/deny bypasses when the row’s userId is unset, and the earlier GET /device handler fails to claim the row. An attacker who can observe a valid user_code — for example via shoulder‑surfing, screen‑share, support‑chat transcripts, referrer headers, or shared logs — and who already possesses a logged‑in session can invoke the approve or deny endpoints before the legitimate user completes verification, thereby hijacking the pending flow. This grants the attacker the ability to bind the polling device to their own account (effectively taking over the device) or to deny the code, blocking the legitimate sign‑in. The business impact includes unauthorized access to user accounts, potential data exposure, disruption of legitimate authentication flows, and erosion of user trust. Exploitation requires the deviceAuthorization plugin to be active, a visible pending user code, and an authenticated session the attacker can use.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-cq3f-vc6p-68fh