CVE-2026-53512
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.
| CWE | CWE-287 CWE-306 CWE-345 CWE-863 |
| Vendor | better-auth |
| Product | better-auth |
| Published | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for better-auth better-auth
Be the first to know when new unknown vulnerabilities affecting better-auth better-auth are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
better-auth / better-auth
< 1.6.11
References
github.com: https://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h github.com: https://github.com/better-auth/better-auth/pull/9576 github.com: https://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c github.com: https://github.com/better-auth/better-auth/releases/tag/v1.6.11