CVE-2026-53512

Summary

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.

Affected Software

VendorProductVersion RangeStatus
better-authbetter-auth< 1.6.11affected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication
  • CWE-306: CWE-306: Missing Authentication for Critical Function
  • CWE-345: CWE-345: Insufficient Verification of Data Authenticity
  • CWE-863: CWE-863: Incorrect Authorization

References