GHSA-xg6x-h9c9-2m83: Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)

April 3, 2026

Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.

References

github.com/advisories/GHSA-xg6x-h9c9-2m83
github.com/better-auth/better-auth
github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83

Code Behaviors & Features

Detect and mitigate GHSA-xg6x-h9c9-2m83 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →