CVE-2026-53512
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose O
CVSS
—
Sin CVSS
EPSS
0.3%
p22
KEV
—
Exploit Today
7
0-100
Publicado: 15 jul 2026 · Última mod.: 15 jul 2026 · CWE-287 · CWE-306 · CWE-345
Sin historial EPSS suficiente todavía.
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.
- github.comhttps://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c
- github.comhttps://github.com/better-auth/better-auth/pull/9576
- github.comhttps://github.com/better-auth/better-auth/releases/tag/v1.6.11
- github.comhttps://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h