CVE-2025-61928

Published Oct 9, 2025

Last updated 5 months ago

CVSS critical 9.3
API

Overview

Description
Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-285

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-61928: better-auth API Keys Plugin Lets Attackers Mint Privileged Keys Without Logging In A logic flaw in better-auth’s `createApiKey` (and `updateApiKey`) handler allows unauthenticated requests that include a `userId` to bypass auth checks and generate valid API

    @ThreatSynop

    19 Feb 2026

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Critical Account Takeover via Unauthenticated API Key Creation in better-auth (CVE-2025-61928) #AccountTakeover #BetterAuth #CVE202561928 #APIKeySecurity #ZeroPath https://t.co/2E9W3TgM4D

    @reverseame

    18 Feb 2026

    684 Impressions

    0 Retweets

    8 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  3. #VulnerabilityReport #APIKeyTheft Critical Auth Bypass (CVE-2025-61928) in Better Auth Allows Hackers to Steal User API Keys https://t.co/vaIqFSWI24

    @Komodosec

    19 Nov 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Critical Auth Bypass in Better Auth (CVE-2025-61928) Read the full report on - https://t.co/ipfzplocZP https://t.co/nyEaeZPccJ

    @cyberbivash

    21 Oct 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🇺🇸 🚨 BREAKING: Critical CVE-2025-61928 in better-auth 'API keys' plugin permits unauthenticated actors to create privileged credentials for arbitrary users. Affects better-auth on npm (~300k weekly). #Cybersecurity #CVE https://t.co/02x8AKbsux

    @STRATINT_AI

    21 Oct 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 CRITICAL: Better-Auth flaw (CVE-2025-61928) lets unauthenticated attackers create API keys—full account takeover risk! 300K+ weekly downloads. Disable API key creation & review access now. https://t.co/cAC7s4iTZ3... https://t.co/PUlN9mxaPJ

    @offseq

    21 Oct 2025

    77 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Better-Auth Critical Account Takeover via Unauthenticated API Key Creation (CVE-2025-61928) https://t.co/kBN5TFBOS1 https://t.co/znWiRJGLwc

    @secharvesterx

    20 Oct 2025

    106 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Better Auth Flaw (CVE-2025-61928) Allows Hackers to Completely Bypass Login and Steal User API Keys Read the full report on - https://t.co/FnMyBugeHN https://t.co/nNVZEXXfne

    @cyberbivash

    13 Oct 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🟥 CVE-2025-61928, CVSS: 9.3 (#Critical) Better Auth version prior to 1.3.26. Critical authentication bypass vulnerability. Unauthenticated attackers can create or modify API keys for any user, gaining complete access to user accounts and data. The vulnerability allows http

    @UjlakiMarci

    10 Oct 2025

    103 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    2 Replies

    0 Quotes

  10. CVE-2025-61928 Authentication Bypass in Better Auth Library Allows Unauthorized API Key Generation https://t.co/BjLxJjuxoG

    @VulmonFeeds

    10 Oct 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CVE-2025-61928 Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for an… https://t.co/VZOTb58PjW

    @CVEnew

    9 Oct 2025

    388 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.CVE-2026-25049
  2. An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allows a network-based attacker to bypass authentication and take administrative control of the device. This issue affects Session Smart Router:  * from 5.6.7 before 5.6.17,  * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts,  * from 6.2 before 6.2.8-lts,  * from 6.3 before 6.3.3-r2;  This issue affects Session Smart Conductor:  * from 5.6.7 before 5.6.17,  * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts,  * from 6.2 before 6.2.8-lts,  * from 6.3 before 6.3.3-r2;  This issue affects WAN Assurance Managed Routers:  * from 5.6.7 before 5.6.17,  * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts,  * from 6.2 before 6.2.8-lts,  * from 6.3 before 6.3.3-r2.CVE-2025-21589
  3. Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel VulnerabilityCVE-2026-24858
  4. SmarterTools SmarterMail Missing Authentication for Critical Function VulnerabilityCVE-2026-24423
  5. n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.CVE-2026-21877

References

Sources include official advisories and independent security research.