PatchSiren cyber security CVE debrief
CVE-2026-45364 better-auth CVE debrief
Better Auth's HTTP rate limiter prior to versions 1.4.17 and 1.5.0-beta.9 used raw textual IP addresses from x-forwarded-for (or configured IP-bearing headers) as rate-limiting keys without normalization. This allowed IPv6 clients with a /64 allocation to rotate through 2^64 distinct addresses, bypassing per-address rate limits on authentication endpoints including /sign-in/email, /sign-up/email, and /forget-password. Additionally, a single IPv6 address could be represented in multiple textual forms (uppercase, compressed, IPv4-mapped, hex-encoded IPv4-in-IPv6), generating distinct rate-limit keys for the same client. The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts). Fixes were released on 2026-05-28.
- Vendor
- better-auth
- Product
- Unknown
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations running Better Auth versions prior to 1.4.17 or 1.5.0-beta.9, particularly those exposed to IPv6 client traffic or operating authentication services without additional protective layers. Security teams should prioritize this given the HIGH CVSS score and the direct impact on authentication security controls.
Technical summary
The vulnerability exists in Better Auth's HTTP rate limiter implementation where IP addresses extracted from x-forwarded-for or configured headers were used as-is without canonicalization. For IPv6, this creates two bypass vectors: (1) clients with /64 address allocations can generate effectively unlimited distinct addresses, and (2) equivalent addresses expressed in different textual formats (uppercase vs lowercase hexadecimal, compressed vs expanded notation, IPv4-mapped vs native IPv6, various hex encodings) produce different rate-limit keys. The affected endpoints include /sign-in/email, /sign-up/email, /forget-password, and all other paths protected by the rate limiter. The fix implements proper IP address normalization before key generation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Better Auth to version 1.4.17 (stable) or 1.5.0-beta.9 (beta) immediately
- If immediate upgrade is not possible, implement additional rate limiting at the reverse proxy or WAF layer using normalized IP addresses
- Review application logs for signs of distributed authentication attempts from IPv6 /64 ranges that may indicate exploitation
- Consider implementing secondary rate limiting mechanisms (e.g., account-based limits, CAPTCHA challenges) for sensitive authentication endpoints
- Audit any custom IP extraction logic to ensure it does not replicate the same normalization vulnerability
Evidence notes
CVE description confirms rate limiter keyed by exact textual IP address from x-forwarded-for. GitHub Security Advisory GHSA-p6v2-xcpg-h6xw and associated commits (43e719b, 57af0f7) provide fix verification. Pull requests #7470 and #7509 reference implementation changes. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L supports HIGH severity classification.
Official resources
2026-05-28