Authentication and Authorization Library Vulnerability for TypeScript by Better Auth
CVE-2026-53518
7.6HIGH
What is CVE-2026-53518?
The Better Auth library allows concurrent requests to exploit a non-atomic sequence when redeeming authorization codes at the @better-auth/oauth-provider POST /oauth2/token endpoint. This flaw may permit unauthorized issuance of access tokens, refresh tokens, and ID tokens. The issue arises from the shared use of primitive methods between legacy paths in oidc-provider and mcp plugins, impacting the security of the authentication process. Resolution is provided in version 1.6.11.
Affected Version(s)
better-auth >= 1.6.0, < 1.6.11
