CVE-2026-53512
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| better-auth | better-auth | < 1.6.11 | affected |
Weaknesses
- CWE-287: CWE-287: Improper Authentication
- CWE-306: CWE-306: Missing Authentication for Critical Function
- CWE-345: CWE-345: Insufficient Verification of Data Authenticity
- CWE-863: CWE-863: Incorrect Authorization
References
- https://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h
- https://github.com/better-auth/better-auth/pull/9576
- https://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c
- https://github.com/better-auth/better-auth/releases/tag/v1.6.11
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.