better-auth is vulnerable to Improper Authentication
83
High Risk
Magic-link verification and email-OTP sign-in adopt a pre-existing account when one already exists for the address, marking it verified and issuing a session. If that account had a password set before its email was ever confirmed, the password and existing sessions stayed valid after verification. An actor who registered the address and set a password on the unconfirmed account could therefore retain credential access once the real mailbox owner signs in, leading to account takeover. The fix removes the credential account and revokes existing sessions when these email-proof flows resolve to a previously unverified account.
You are affected if you are using a version that falls within the vulnerable range and you enable the magic link or email OTP plugin alongside email-and-password accounts with open registration.
better-auth is vulnerable to Improper Authentication in versions 1.1.3 - 1.6.21.
Upgrade the better-auth library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant