PT-2026-41393 · Better Auth+2 · Better Auth

Published

2026-05-15

·

Updated

2026-05-28

·

CVE-2026-45364

CVSS v3.1

7.3

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions Better Auth versions prior to 1.4.17 Better Auth versions prior to 1.5.0-beta.9
Description The HTTP rate limiter in Better Auth identifies requests based on the exact textual IP address found in the x-forwarded-for header or other configured IP-bearing headers. This implementation allows IPv6 clients with a /64 allocation to rotate through 2^64 distinct source addresses, effectively bypassing rate limits on endpoints such as '/sign-in/email', '/sign-up/email', and '/forget-password'. Additionally, a single client can bypass the limiter by varying the textual encoding of an IPv6 address (e.g., using uppercase, compression, or IPv4-mapped formats) to generate multiple distinct keys. This issue occurs because the getIp() function returns the IP value verbatim and the onRequestRateLimit() function constructs keys via simple string concatenation. This bypass enables unbounded authentication attempts, facilitating credential stuffing, brute-force attacks, and account enumeration.
Recommendations For versions prior to 1.4.17, upgrade to version 1.4.17 or later. For versions prior to 1.5.0-beta.9, upgrade to version 1.5.0-beta.9 or later. As a workaround for version 1.4.16, set advanced.ipAddress.ipv6Subnet: 64 in the configuration. For versions prior to 1.4.16, configure the IPv6 prefix length to /64 (or coarser) on the upstream CDN, WAF, or load balancer rate-limit policy. As a partial mitigation for any version, tighten the customRules window for sign-in, sign-up, and password-reset endpoints.

Exploit

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45364
GHSA-P6V2-XCPG-H6XW

Affected Products

Better Auth