EXECUTIVE SUMMARY:
A critical authentication-bypass vulnerability CVE-2025-61928, CVSSv4 9.3 was found in the Better Auth TypeScript library’s API-key plugin that lets unauthenticated attackers supply a userId in requests to create or modify API keys for arbitrary users — effectively allowing full account takeover and theft of API keys with a simple unauthenticated curl request. The flaw stems from insecure user-context logic and skipped server-side validation when authRequired is false; it affects Better Auth ≤ 1.3.25, which tightens authentication on the affected endpoints.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A critical authentication-bypass vulnerability CVE-2025-61928, CVSSv4 9.3 was found in the Better Auth TypeScript library’s API-key plugin that lets unauthenticated attackers supply a userId in requests to create or modify API keys for arbitrary users — effectively allowing full account takeover and theft of API keys with a simple unauthenticated curl request. The flaw stems from insecure user-context logic and skipped server-side validation when authRequired is false; it affects Better Auth ≤ 1.3.25, which tightens authentication on the affected endpoints.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update Better Auth to version 1.3.26 .
REFERENCES:
The following reports contain further technical details:
[/emaillocker]