Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Better Auth Two-Factor Bypass via Session Caching
GHSA-xg6x-h9c9-2m83
Summary
An attacker can bypass two-factor authentication in Better Auth by exploiting a session caching issue. This allows them to access protected areas of the application without completing the second verification step. To fix this, update to a newer version of Better Auth, or ensure session caching waits for all authentication steps to be completed. As a temporary solution, you can also disable session caching when using two-factor authentication.
What to do
- Update better-auth to version 1.4.9.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | better-auth | <= 1.4.9 | 1.4.9 |
Original title
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
Original description
### Summary
Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.
---
### Description
When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.
However, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.
This results in a situation where session validity can be established before all authentication constraints are satisfied.
---
### Impact
An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.
Any application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.
---
### Mitigation
* Upgrade to a version of `better-auth` that includes the fix for this issue.
* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.
* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.
Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.
---
### Description
When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.
However, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.
This results in a situation where session validity can be established before all authentication constraints are satisfied.
---
### Impact
An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.
Any application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.
---
### Mitigation
* Upgrade to a version of `better-auth` that includes the fix for this issue.
* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.
* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.
osv CVSS4.0
8.6
Vulnerability type
CWE-288
Authentication Bypass Using Alternate Path
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026