CVE-2026-53517

Summary

Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refresh_token grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh token to pass the revoked check and create forked refresh-token families; the vulnerable range also includes embedded better-auth plugin versions before 1.6.0. This issue is fixed in version 1.6.11.

Affected Software

VendorProductVersion RangeStatus
better-authbetter-auth>= 1.4.8-beta.7, < 1.6.0affected
@better-authoauth-provider>= 1.6.0, < 1.6.11affected

Weaknesses

  • CWE-362: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-367: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References