CVE-2026-53512
CRITICAL
9.1
CVSS 4.0
Description
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.
Metadata
Severity & Metrics
9.1
CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| better-auth | better-auth | — | < 1.6.11 |
Weakness (CWE)
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 9.1 | CRITICAL | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
References (4)
- https://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h https://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h
- https://github.com/better-auth/better-auth/pull/9576 https://github.com/better-auth/better-auth/pull/9576
- https://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c https://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c
- https://github.com/better-auth/better-auth/releases/tag/v1.6.11 https://github.com/better-auth/better-auth/releases/tag/v1.6.11