CVE-2026-53512
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose O
CVSS
—
No CVSS
EPSS
0.3%
p22
KEV
—
Exploit Today
7
0-100
Published: Jul 15, 2026 · Last modified: Jul 15, 2026 · CWE-287 · CWE-306 · CWE-345
Not enough EPSS history yet.
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.
- github.comhttps://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c
- github.comhttps://github.com/better-auth/better-auth/pull/9576
- github.comhttps://github.com/better-auth/better-auth/releases/tag/v1.6.11
- github.comhttps://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h