Authentication and Authorization Library Vulnerability for TypeScript by Better Auth
CVE-2026-53518

7.6HIGH

Key Information:

Vendor
CVE Published:
15 July 2026

What is CVE-2026-53518?

The Better Auth library allows concurrent requests to exploit a non-atomic sequence when redeeming authorization codes at the @better-auth/oauth-provider POST /oauth2/token endpoint. This flaw may permit unauthorized issuance of access tokens, refresh tokens, and ID tokens. The issue arises from the shared use of primitive methods between legacy paths in oidc-provider and mcp plugins, impacting the security of the authentication process. Resolution is provided in version 1.6.11.

Affected Version(s)

better-auth >= 1.6.0, < 1.6.11

References

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.