Better Auth: Unauthenticated API key creation through api-key plugin
High severity
GitHub Reviewed
Published
Oct 8, 2025
in
better-auth/better-auth
•
Updated Dec 9, 2025
Description
Published to the GitHub Advisory Database
Oct 9, 2025
Reviewed
Oct 9, 2025
Published by the National Vulnerability Database
Oct 9, 2025
Last updated
Dec 9, 2025
Summary
A critical authentication bypass was identified in the API key creation and update endpoints. An attacker could create or modify API keys for arbitrary users by supplying a victim’s user ID in the request body. Due to a flaw in how the authenticated user was derived, the endpoints could treat attacker-controlled input as an authenticated user object under certain conditions.
Details
The vulnerability originated from fallback logic used when determining the current user. When no session was present, the handler incorrectly allowed request-body data to populate the user context used for authorization decisions. Because server-side validation only executed when authentication was required, privileged fields were not properly protected. As a result, the API accepted unauthenticated requests that targeted other users.
This same pattern affected both the API key creation and update routes.
Impact
Unauthenticated attackers could generate or modify API keys belonging to any user. This granted full authenticated access as the targeted user and, depending on the user’s privileges, could lead to account compromise, access to sensitive data, or broader application takeover.
References