Intel

AIKIDO-2026-310135

better-auth is vulnerable to Improper Authentication

Improper AuthenticationGHSA-qq9h-g4jm-xgf3 Published Jun 30, 2026

83

High Risk

This Affects:

JSbetter-auth
1.1.3 - 1.6.21
Fixed in 1.6.22
Are you affected? Scan for Free

TL;DR

Magic-link verification and email-OTP sign-in adopt a pre-existing account when one already exists for the address, marking it verified and issuing a session. If that account had a password set before its email was ever confirmed, the password and existing sessions stayed valid after verification. An actor who registered the address and set a password on the unconfirmed account could therefore retain credential access once the real mailbox owner signs in, leading to account takeover. The fix removes the credential account and revokes existing sessions when these email-proof flows resolve to a previously unverified account.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you enable the magic link or email OTP plugin alongside email-and-password accounts with open registration.

Background info

better-auth is vulnerable to Improper Authentication in versions 1.1.3 - 1.6.21.

How to fix this

Upgrade the better-auth library to the patch version.