AIKIDO-2026-771807
better-auth is vulnerable to Improper Authentication
53
Medium Risk
This Affects:
better-authTL;DR
The getSessionCookie helper reads session tokens from incoming request cookies for middleware and integrations. When both a non-secure and a __Secure- prefixed session cookie were present, the helper preferred the non-secure value and could return a stale leftover token instead of the current secure session. Applications relying on getSessionCookie could therefore treat an outdated session as active after HTTPS or secure-cookie rollout. The fix prefers the __Secure- prefixed cookie and only falls back to the non-secure name when the secure value is absent.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your deployment can send both a non-secure and a __Secure- prefixed session cookie in the same request.
Background info
better-auth is vulnerable to Improper Authentication in versions 1.2.5 - 1.6.13.
How to fix this
Upgrade the better-auth library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant