Authorization Library Vulnerability in Better Auth for TypeScript
CVE-2026-53517
8.1HIGH
What is CVE-2026-53517?
The Better Auth library, used for authentication and authorization in TypeScript applications, contains a significant vulnerability in its /oauth2/token endpoint. Versions from 1.4.8-beta.7 to 1.6.11 are affected by a non-atomic operation that allows simultaneous requests with the same parent refresh token to bypass the revoked check. This exploit can lead to the creation of unauthorized forked refresh-token families. The issue has been addressed in version 1.6.11, emphasizing the importance of upgrading to secure your application's authentication flow.
Affected Version(s)
better-auth >= 1.4.8-beta.7, < 1.6.0
oauth-provider >= 1.6.0, < 1.6.11
