AIKIDO-2026-11093
better-auth is vulnerable to Authentication Bypass
59
Medium Risk
This Affects:
better-authTL;DR
Google One Tap could authenticate a local user who merely shared the Google token email while the Google subject was already linked to a different account, diverging from the shared OAuth identity resolver used elsewhere. The /account-info endpoint also resolved provider accounts globally by account ID before ownership checks, which broke correct lookups when provider account IDs collided across users. Ambiguous internalAdapter helpers could non-deterministically match accounts or treat a session token string as a user ID and revoke every session for that user. The release routes One Tap through the shared OAuth path, scopes account lookups to the signed-in user, and splits session deletion into explicit user-scoped and token-scoped helpers.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
better-auth is vulnerable to Authentication Bypass in versions 1.0.0 - 1.6.12.
How to fix this
Upgrade the better-auth library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant