How is CVE-2026-45364 exploited?

Network reachability (required): The attacker must be able to send HTTP requests to the exposed Better Auth endpoint over the network; no local or physical access is needed. Authentication (not-required): No account or session credential is needed; the attacker hits unauthenticated endpoints such as /sign-in/email and /forget-password directly. Victim interaction (not-required): The attack is entirely server-side; no user needs to click a link or take any action for exploitation to succeed. Attack complexity (info): Exploit is reliable and condition-free: rotating through IPv6 addresses within a standard /64 allocation or varying the textual encoding of a single address requires no special timing or environmental precondition.

What is the impact of CVE-2026-45364?

Attacker submits unlimited login attempts against any account, recovering valid credentials through brute force or credential stuffing. Attacker enumerates valid email addresses by observing differential responses from the /sign-up/email and /forget-password endpoints without triggering lockout. Attacker modifies account state by successfully resetting passwords or registering duplicate accounts once lockout controls are defeated. Attacker degrades service availability by flooding rate-limited endpoints with high request volume, exhausting application and database resources.

Back to search

HIGHCVE-2026-45364Published 2026-05-28Modified 2026-05-29CNA GitHub_M

CVE-2026-45364: Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A rate-limiter bypass vulnerability affects Better Auth, a TypeScript authentication and authorization library. The HTTP rate limiter keys each request by the raw textual form of the client IP address received from the x-forwarded-for header, meaning an IPv6 client with a standard /64 prefix allocation can rotate through 2^64 unique addresses and never exhaust any per-address counter. Successful exploitation allows an attacker to brute-force login, account registration, and password-reset endpoints without hitting the intended request cap, enabling credential stuffing, account enumeration, and denial-of-service through resource exhaustion. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Better Auth as a dependency. Any image found to contain an affected version of better-auth is flagged immediately in the pipeline scan results.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.3 (HIGH) and weighting it against each environment's configured compliance policy to determine breach-of-threshold status. Triage routing to the appropriate team inbox within each customer org is available based on policy and ownership mappings defined by the customer.

Available

Patch

Because no fix version has been published upstream yet, HarborGuard re-examines the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment 1.4.17 or 1.5.0-beta.9 (or a later stable release) appears in the upstream package registry. For customers who have auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to send HTTP requests to the exposed Better Auth endpoint over the network; no local or physical access is needed.
AuthenticationNot required
No account or session credential is needed; the attacker hits unauthenticated endpoints such as /sign-in/email and /forget-password directly.
Victim interactionNot required
The attack is entirely server-side; no user needs to click a link or take any action for exploitation to succeed.
Attack complexityDetail
Exploit is reliable and condition-free: rotating through IPv6 addresses within a standard /64 allocation or varying the textual encoding of a single address requires no special timing or environmental precondition.

Blast Radius

Attacker submits unlimited login attempts against any account, recovering valid credentials through brute force or credential stuffing.
Attacker enumerates valid email addresses by observing differential responses from the /sign-up/email and /forget-password endpoints without triggering lockout.
Attacker modifies account state by successfully resetting passwords or registering duplicate accounts once lockout controls are defeated.
Attacker degrades service availability by flooding rate-limited endpoints with high request volume, exhausting application and database resources.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for this CVE at this time, HarborGuard continuously re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment better-auth 1.4.17 or 1.5.0-beta.9 is published upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger automatically with no manual steps required. In the interim, compensating controls worth considering include network-policy rules that restrict public exposure of Better Auth endpoints, egress filtering to limit the address space reachable by the service, and application-layer mitigations such as enforcing x-forwarded-for header canonicalization or subnet-level aggregation at a reverse proxy or WAF layer sitting in front of the Better Auth service. HarborGuard will surface the rebuilt image and re-score affected findings as soon as the upstream patch is confirmed.

See how HarborGuard automates this

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

better-auth / better-auth
< 1.4.17 · >= 1.5.0-beta.1, < 1.5.0-beta.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References