CVE-2026-45337: Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending

June 4, 2026 (updated June 9, 2026)

Better Auth’s deviceAuthorization plugin treated any authenticated session as the owner of any pending device code. The ownership gate on POST /device/approve and POST /device/deny short-circuited whenever the row’s userId was unset, and the GET /device verification handler did not claim the row. An authenticated attacker who learned a valid user_code before the legitimate user completed approval could bind the polling device to the attacker’s account or deny the legitimate flow.

References

github.com/advisories/GHSA-cq3f-vc6p-68fh
github.com/better-auth/better-auth/pull/9573
github.com/better-auth/better-auth/releases/tag/v1.6.11
github.com/better-auth/better-auth/security/advisories/GHSA-cq3f-vc6p-68fh
nvd.nist.gov/vuln/detail/CVE-2026-45337

Code Behaviors & Features

Detect and mitigate CVE-2026-45337 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →