Authorization Flaw in Better Auth Authentication Library for TypeScript
CVE-2026-53512

9.1CRITICAL

Key Information:

Vendor
CVE Published:
15 July 2026

What is CVE-2026-53512?

A security issue exists in the Better Auth authentication and authorization library for TypeScript where the legacy oidcProvider and mcp plugins unintentionally expose OAuth token endpoints. Prior to version 1.6.11, these endpoints authenticate solely on the basis of a bound refresh token and client ID without verifying the confidential client's client secret. This flaw allows an attacker possessing a valid refresh token to generate both access tokens and rotated refresh tokens via the /api/auth/oauth2/token or /api/auth/mcp/token endpoints. The issue has been resolved in version 1.6.11.

Affected Version(s)

better-auth < 1.6.11

References

CVSS V4

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.