Authentication Bypass Using an Alternate Path or Channel in better-auth

Q: How to fix?

Upgrade better-auth to version 1.4.9 or higher.

Introduced: 3 Apr 2026

How to fix?

Upgrade better-auth to version 1.4.9 or higher.

Overview

better-auth is a The most comprehensive authentication library for TypeScript.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the session.cookieCache component. An attacker can gain unauthorized access to protected application routes by leveraging a session that is cached as valid before all authentication steps, such as two-factor authentication, are completed.

Note:

This is only exploitable if both two-factor authentication and session cookie caching are enabled.

Workaround

This vulnerability can be mitigated by disabling session.cookieCache when two-factor authentication is in use.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Authentication Bypass Using an Alternate Path or Channel Affecting better-auth package, versions <1.4.9

Severity

Do your applications use this vulnerable package?