Cyber Resilience

CVE-2026-45364

High

Published: 28 May 2026

Published
28 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0029 21.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-45364 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients…

more

controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Rate-limiter bypass on auth endpoints directly enables brute-force credential attacks (T1110).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-69615Shared CWE-307
CVE-2024-57610Shared CWE-307
CVE-2025-23368Shared CWE-307
CVE-2026-22278Shared CWE-307
CVE-2025-69246Shared CWE-307
CVE-2026-35597Shared CWE-307
CVE-2026-45010Shared CWE-307
CVE-2026-6947Shared CWE-307
CVE-2025-14362Shared CWE-307
CVE-2024-23106Shared CWE-307

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References