GHSA-2vg6-77g8-24mp: Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
Am I affected?
Users are affected if all of the following are true:
- They configure secondaryStorage on betterAuth(...) (Redis, KV, or any external session cache).
- session.storeSessionInDatabase is left unset or set to false (the default).
- Their application's deployment uses one or more of:
- The admin plugin and calls auth.api.removeUser(...) or authClient.admin.removeUser(...).
- The anonymous plugin and exposes /delete-anonymous-user or relies on the after-link hook to clean up the anonymous user.
- The @better-auth/scim plugin and exposes DELETE /scim/v2/Users/:userId.
If storeSessionInDatabase is true, sessions are also written to the database, and the database delete cascades; users are not affected.
Fix:
1. Upgrade to better-auth@<patched-version> or later (and @better-auth/scim@<patched-version> if they use SCIM).
2. If they cannot upgrade, see workarounds below.
Summary
When secondaryStorage is configured and storeSessionInDatabase is false, three user-deletion endpoints in better-auth plus one in @better-auth/scim call internalAdapter.deleteUser(userId) without first calling internalAdapter.deleteSessions(userId). The deleted user's session payload (which carries a cached user object) remains in secondary storage, and internalAdapter.findSession(token) keeps returning it as a valid session until the session TTL elapses (default 7 days).
Details
The vulnerable call sites are:
- admin plugin's removeUser (packages/better-auth/src/plugins/admin/routes.ts:1463).
- anonymous plugin's self-delete endpoint (packages/better-auth/src/plugins/anonymous/index.ts:222).
- anonymous plugin's after-link hook (packages/better-auth/src/plugins/anonymous/index.ts:325).
- @better-auth/scim's DELETE /scim/v2/Users/:userId (packages/scim/src/routes.ts:1019).
Working callers that already do the right thing: the core /delete-user self-delete and /delete-user/callback (packages/better-auth/src/api/routes/update-user.ts:551).
The fix shape extends each vulnerable
Details
Original advisory: https://github.com/advisories/GHSA-2vg6-77g8-24mp
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10