Etiennelunetta

**Name of the Vulnerable Software and Affected Versions** Better Auth versions prior to 1.3.26 **Description** Better Auth is an authentication and authorization library for TypeScript. A critical authentication bypass allows unauthenticated attackers to create or modify API keys for any user. This is achieved by sending a request to the `/api/auth/api-key/create` route with a user ID in the request body. The application logic incorrectly handles the absence of a session, allowing the attacker-controlled `userId` from the request body to be used to create or modify API keys. Specifically, the code `session?.user ?? (authRequired ? null : { id: ctx.body.userId })` sets the user object based on the `userId` in the request body when no session exists. This bypasses authentication checks and allows the attacker to generate API keys for any user, potentially compromising user data and application functionality. The same issue exists in the update endpoint. It is estimated that over 300,000 projects download this library weekly, potentially making a large number of applications vulnerable. **API Endpoints:** `/api/auth/api-key/create` **Vulnerable Parameters or Variables:** `userId`, `ctx.body` **Recommendations** Update Better Auth to version 1.3.26 or later.