chore(deps): update dependency better-auth to v1.3.26 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
better-auth (source)	1.3.9 -> 1.3.26

GitHub Vulnerability Alerts

CVE-2025-61928

Summary

Unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route.

Details

The vulnerability exists in the authentication logic at when checking for user authentication then derives the user as session?.user ?? (authRequired ? null : { id: ctx.body.userId }). When no session exists but userId is present in the request body, authRequired becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when authRequired is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint.

PoC

curl -X POST http://localhost:3000/api/auth/api-key/create \
   -H 'Content-Type: application/json' \
   -d '{
         "userId": "victim-user-id",
         "name": "zeropath"
       }'

Response contains the new API key whose userId matches the victim, confirming the bypass.

Impact

This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges.

This issue was found by ZeroPath.

---

Release Notes

better-auth/better-auth (better-auth)

v1.3.26

Compare Source

   🐞 Bug Fixes

• [security] api keys should properly check if a request is from client or server  -  by @​Bekacru (55608)
• api-key: Shouldn't issue api key a mock session by default  -  by @​Bekacru (a49e5)

    View changes on GitHub

v1.3.25

Compare Source

   🚀 Features

• Additional fields on account  -  by @​dvanmali in #​4935 (f148f)
• Add support for custom callback for token url  -  by @​acusti in #​5027 (3f668)
• captcha: Add support for CaptchaFox  -  by @​tgrassl in #​4944 (b6119)
• cli: Add mcp client configs from cli  -  by @​Kinfe123 and @​himself65 in #​4872 (e1082)

   🐞 Bug Fixes

• Support compressed ipv6 format  -  by @​Velka-DEV in #​4982 (c2f27)
• Add required constraint to slug filed in org plugin  -  by @​bytaesu in #​4989 (39189)
• Use consistent messaging on requestPasswordReset  -  by @​Eazash in #​5014 (d6224)
• Cookie size limit shouldn't throw error  -  by @​Bekacru and @​himself65 in #​5031 (dece5)
• Handle symbols in proxy get trap to prevent TypeError  -  by @​zbeyens and @​himself65 in #​4924 (85f3b)
• Ttl for rate limited secondary storage  -  by @​dvanmali in #​4961 (45cd3)
• adapter:
  • Use updated field values in WHERE clause during update  -  by @​QuintenStr and @​ping-maxwell in #​5004 (3e298)
  • Foreign keys that are nullable on number ids can return string of null  -  by @​ping-maxwell in #​5036 (84e99)
• api-key:
  • Correct refill interval time calculation  -  by @​Pankaj3112 and @​himself65 in #​4871 (64ac8)
• client:
  • Add lynx client exports  -  by @​JagritGumber in #​4950 (70202)
• device-authorization:
  • Fix client error type for deny device  -  by @​3ddelano in #​5022 (ec788)
• last-login-method:
  • Custom resolver method default logic  -  by @​ThibautCuchet in #​4821 (2616e)
• oauth-proxy:
  • Should skip state check for oauth proxy  -  by @​Bekacru in #​4991 (a3c1d)
• oidc:
  • Properly enforce consent requirements per OIDC spec  -  by @​himself65 in #​4974 (20704)
• org:
  • Update type to include undefined  -  by @​himself65 in #​5003 (cce9e)
• sso:
  • Safe json parsing for saml/oidc configs  -  by @​natetewelde and @​himself65 in #​4858 (d09c7)
  • Prevent duplicate SSO provider creation with same providerId  -  by @​xiaoyu2er in #​5033 (cfe64)
• stripe:
  • Update with an existing subscription  -  by @​himself65 in #​4988 (6a288)
  • Sync customer email on db change  -  by @​himself65 in #​4995 (cdd7b)
  • getCustomerCreateParams not actually being called  -  by @​ebalo55 and @​himself65 in #​5019 (cdd6f)

   🏎 Performance

• Lazy load create telemetry  -  by @​himself65 in #​5007 (e05ce)

    View changes on GitHub

v1.3.24

Compare Source

   🚀 Features

• Add support for custom callback for authorization url  -  by @​Bekacru in #​4919 (458cb)

   🐞 Bug Fixes

• Refresh secondary storage sessions on user update  -  by @​frectonz in #​4522 (80b8c)
• cli: Timestamp in schema for Drizzle with SQLite  -  by @​zy1p in #​4622 (cee5a)
• db: onDelete is ignored  -  by @​himself65 in #​4973 (aba9a)
• deps: Update dependency @​nanostores/react to v1  -  in #​4963 (483f6)

   🏎 Performance

• Improve type Auth  -  by @​himself65 in #​4930 (574b9)

    View changes on GitHub

v1.3.23

Compare Source

v1.3.22

Compare Source

v1.3.21

Compare Source

v1.3.20

Compare Source

v1.3.19

Compare Source

   🐞 Bug Fixes

• getSession shouldn't expose options and path types  -  by @​Bekacru in #​4947 (633a7)

    View changes on GitHub

v1.3.18

Compare Source

   🐞 Bug Fixes

• Ttl sessions list expiration  -  by @​dvanmali in #​3836 (71129)
• Tests failing due to clock drift  -  by @​dvanmali in #​4915 (8351c)
• Moved email verification check after password check  -  by @​QuintenStr in #​4835 (0088c)
• cli: DefaultNow is deprecated in schema for Drizzle with SQLite  -  by @​himself65 in #​4889 (e979f)
• custom-session: Don't overwrite the Set-Cookie header  -  by @​frectonz in #​4388 (15b00)
• email-otp: Call reset password callback  -  by @​HoshangDEV in #​4818 (45101)

    View changes on GitHub

v1.3.17

Compare Source

   🚀 Features

• sso: Provide default service provider metadata  -  by @​dvanmali in #​4866 (4a9d1)

   🐞 Bug Fixes

• nuxt: Avoid load env base url for SSR  -  by @​himself65 in #​4887 (15cc7)

    View changes on GitHub

v1.3.16

Compare Source

No significant changes

    View changes on GitHub

v1.3.15

Compare Source

   🐞 Bug Fixes

• types: Include null in getSession return type  -  by @​jcajuab in #​4812 (d447c)

    View changes on GitHub

v1.3.14

Compare Source

   🚀 Features

• passkey: Allow multiple passkey origins  -  by @​kevcube in #​4800 (d9601)
• sso: DefaultSSO options and ACS endpoint  -  by @​Kinfe123 and Bereket Engida in #​3660 (348f3)

   🐞 Bug Fixes

• Wrap Math.floor around the division when calculating TTL  -  by @​DevDuki, Dusan Misic, ping-maxwell and @​himself65 in #​4768 (08da9)
• api-key:
  • Calling client on server side  -  by @​himself65 in #​4777 (d384e)
• mcp:
  • Missing Content-Type header for mcp DCR  -  by @​Berndwl in #​4763 (a6b2e)
• organization:
  • Pass ctx to DB hooks  -  by @​ping-maxwell in #​4769 (39c21)
  • Allow passing id through beforeCreateOrganization  -  by @​ping-maxwell in #​4765 (25a43)
• username:
  • Username should respect send on sign config  -  by @​QuintenStr in #​4799 (ac49e)

    View changes on GitHub

v1.3.13

Compare Source

   🚀 Features

• Add returnHeaders to getSession  -  by @​frectonz in #​3983 (8a4b3)
• last-login-method: Update OAuth login method tracking for multiple auth type  -  by @​Kinfe123 in #​4693 (c03fd)

   🐞 Bug Fixes

• client: BaseURL is undefined for SSR  -  by @​himself65 in #​4760 (c1514)
• organization: Remove autoCreateOnSignUp option as it's not implemented yet  -  by @​Bekacru in #​4755 (21bd4)
• passkey: Remove email from query  -  by @​himself65 in #​4740 (8709a)

    View changes on GitHub

v1.3.12

Compare Source

   🚀 Features

• discord: Allow specification of permissions  -  by @​TheUntraceable and @​Bekacru in #​4717 (c6e33)
• email-otp: Allow returning undefined in generateOTP  -  by @​ping-maxwell in #​4723 (11dbf)

   🐞 Bug Fixes

• Device authorization plugin  -  by @​bytaesu in #​4695 (578a6)
• Reduce any type in generator.ts  -  by @​himself65 in #​4710 (fd29b)
• Refresh secondary storage sessions on user update  -  by @​frectonz in #​4522 (c3354)
• Allow disable database transaction  -  by @​himself65 in #​4733 (7efd1)
• adapter:
  • Returning null as string for optional id references  -  by @​jslno in #​4713 (c6e5d)
• api-key:
  • Cascade api keys on user deletion  -  by @​ping-maxwell in #​4703 (62b50)
• create-adapter:
  • Disable transaction by default  -  by @​ping-maxwell in #​4750 (4a434)
• organization:
  • Decouple client and server permission checks  -  by @​Bekacru in #​4707 (adfc4)
  • Membership check for organizations with large member counts  -  by @​Badbird5907 and @​himself65 in #​4724 (97b02)
• stripe:
  • OnCustomerCreate should be called even if update user isn't returned  -  by @​Bekacru in #​4716 (d3509)

    View changes on GitHub

v1.3.11

Compare Source

   🚀 Features

• Flip emailVerified when link the account  -  by @​himself65 in #​4621 (cf2ca)

   🐞 Bug Fixes

• Check if user exists before banning the user  -  by @​anmol-fzr, KinfeMichael Tariku and @​himself65 in #​4649 (283c2)
• Timestamp issues in kysely  -  by @​frectonz and @​himself65 in #​4542 (e5874)
• Respect errorCallbackURL in failed oauth flows  -  by @​frectonz in #​4650 (43545)
• plugins: Asynchronous init  -  by @​LightTab2 and @​himself65 in #​4680 (9d216)

    View changes on GitHub

v1.3.10

Compare Source

   Maintenance update: We fixed lots of issues from the community. Thanks to everyone for contributing to better-auth.

   🚀 Features

• Add getActiveRoleMember  -  by @​fathisiddiqi, @​Kinfe123 and @​himself65 in #​4484 (f6f19)
• Database transaction support  -  by @​himself65 and Joel Solano in #​4414 (22c39)
• logger: Option to disable colors  -  by @​martiinii and @​himself65 in #​4402 (53076)
• passkey: Error codes in passkey client  -  by @​frectonz, @​Kinfe123 and @​Bekacru in #​3966 (4b2f5)
• sqlite: Remove autoincrement for SQLite  -  by @​pspeter3 in #​4466 (f2c9d)

   🐞 Bug Fixes

• Ignore cookiecache on auth sensitive functions  -  by @​Kinfe123 in #​4530 (e2a95)
• Custom field for refreshTokenExpiresAt  -  by @​himself65 in #​4569 (cc007)
• Return local IP in development mode  -  by @​DiiiaZoTe and @​himself65 in #​2511 (b4ad6)
• Make cookie cache respect dontRememberMe mode  -  by @​frectonz in #​4558 (acb28)
• Normalize zod imports  -  by @​gabrielmar in #​4593 (adbfc)
• Check endpoint conflicts respect method  -  by @​himself65 in #​4595 (60930)
• Respect username validator  -  by @​azaek and @​himself65 in #​3669 (b8bed)
• Set clientId in ProviderOptions to unknown by default  -  by @​himself65 in #​4596 (78250)
• Pick the first clientId for oauth provider  -  by @​himself65 in #​4598 (8df46)
• Remove use of global.crypto  -  by @​himself65 in #​4606 (ef450)
• Should infer types correctly when empty list of plugins is provided  -  by @​frectonz in #​4612 (08fa1)
• Correct MongoDB adapter import path in CLI  -  by @​aajeeth-m in #​4602 (58963)
• Make sure fetch function doesn't get called repeatedly on onMount  -  by @​frectonz in #​4669 (9d6e4)
• Prevent lastLoginMethod plugin from setting cookie on failed auth  -  by @​Kinfe123 in #​4673 (e297c)
• admin:
  • Change the order of role and user id check when both are provider on userHasPermission  -  by @​Bekacru in #​4653 (29c57)
• anonymous:
  • Prevent false positive error on first anonymous sign-in  -  by @​ajanraj and @​himself65 in #​3662 (96804)
• cli:
  • info shows the correct version  -  by @​himself65 in #​4547 (7faae)
  • Add missing JSON type to schema generation  -  by @​TheGB0077 and @​Kinfe123 in #​4494 (20e87)
• demo:
  • Update forgot password link to /forget-password  -  by @​GivenBY in #​4567 (94450)
• docs:
  • Remove duplicated RFC compliance mention  -  by @​TheUntraceable in #​4581 (5f80c)
• expo:
  • window.crypto is undefined  -  by @​himself65 in #​4620 (7dbc5)
  • Missing peer deps  -  by @​himself65 in #​4617 (16160)
• lastLoginMethod:
  • Inherit cross-subdomain cookie settings in lastLoginMethod plugin  -  by @​lumpinif in #​4572 (78424)
• memory-adapter:
  • Should respect where connector  -  by @​jslno in #​4549 (784db)
• multi-session:
  • Multi-session cookie name preface preventing multiple accounts signed in  -  by @​PacifismPostMortem in #​4505 (8eb64)
• one-time-token:
  • Typo and clean  -  by @​gabrielmar in #​4579 (01365)
• organization:
  • checkRolePermission shouldn't be a promise  -  by @​ping-maxwell in #​4533 (abfc4)
  • Member and team hooks should apply on create organization  -  by @​Bekacru in #​4600 (7fc23)
  • Before org create hooks not applying customized data  -  by @​Bekacru in #​4623 (da9b8)
  • [security] updateOrgRole should check for userId properly  -  by @​Bekacru (12a9d)
  • Restrict role check by user id  -  by @​himself65 in #​4641 (f5fd8)
• prisma:
  • Handle optional field relation types correctly  -  by @​LiYulin-s in #​4630 (80b73)
• stripe:
  • Properly resolve plans by lookup keys  -  by @​AlexProgrammerDE in #​4499 (b531d)
  • Subscription is created without completing payment  -  by @​himself65 in #​4548 (e663f)
  • Prevent multiple free trials for same user  -  by @​RikhiSingh in #​4562 (1bb12)
  • Use correct request method for billing-portal  -  by @​danielepintore in #​4613 (9f23e)
• tiktok:
  • Remove client_secrect from authorizationUrl  -  by @​arslan2012 in #​4511 (71aeb)
• username:
  • Add missing normalization  -  by @​bortoz and @​himself65 in #​3636 (9d316)
  • Sign in should work with post normalization  -  by @​Bekacru and @​himself65 in #​4599 (b2dfb)
• vue:
  • Correct baseURL  -  by @​himself65 in #​4578 (90ea9)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.