CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-2vg6-77g8-24mp: Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows

lowCVSS 3.8
Am I affected? Users are affected if all of the following are true: - They configure secondaryStorage on betterAuth(...) (Redis, KV, or any external session cache). - session.storeSessionInDatabase is left unset or set to false (the default). - Their application's deployment uses one or more of: - The admin plugin and calls auth.api.removeUser(...) or authClient.admin.removeUser(...). - The anonymous plugin and exposes /delete-anonymous-user or relies on the after-link hook to clean up the anonymous user. - The @better-auth/scim plugin and exposes DELETE /scim/v2/Users/:userId. If storeSessionInDatabase is true, sessions are also written to the database, and the database delete cascades; users are not affected. Fix: 1. Upgrade to better-auth@<patched-version> or later (and @better-auth/scim@<patched-version> if they use SCIM). 2. If they cannot upgrade, see workarounds below. Summary When secondaryStorage is configured and storeSessionInDatabase is false, three user-deletion endpoints in better-auth plus one in @better-auth/scim call internalAdapter.deleteUser(userId) without first calling internalAdapter.deleteSessions(userId). The deleted user's session payload (which carries a cached user object) remains in secondary storage, and internalAdapter.findSession(token) keeps returning it as a valid session until the session TTL elapses (default 7 days). Details The vulnerable call sites are: - admin plugin's removeUser (packages/better-auth/src/plugins/admin/routes.ts:1463). - anonymous plugin's self-delete endpoint (packages/better-auth/src/plugins/anonymous/index.ts:222). - anonymous plugin's after-link hook (packages/better-auth/src/plugins/anonymous/index.ts:325). - @better-auth/scim's DELETE /scim/v2/Users/:userId (packages/scim/src/routes.ts:1019). Working callers that already do the right thing: the core /delete-user self-delete and /delete-user/callback (packages/better-auth/src/api/routes/update-user.ts:551). The fix shape extends each vulnerable

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
low — CVSS 3.8
Published
2026-07-07
Last updated
2026-07-07
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-2vg6-77g8-24mp

More from GitHub Security Advisories