Critical better-auth API Key Bypass Enables Account Takeover

The better-auth API keys plugin contains a critical authentication bypass vulnerability tracked as CVE-2025-61928 that allows unauthenticated attackers to create privileged API keys for any user account. All versions before 1.3.26 suffer from this flaw, affecting 300,000+ weekly npm downloads powering authentication for enterprises including Equinor. ZeroPath’s SAST scanner discovered the issue October 1, 2025 during dependency […] The post Critical better-auth API Key Bypass Enables Account Takeover appeared first on VPN Central.