Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53512— Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins

AI Predicted 8.1 Difficulty: Moderate EPSS 0.01% · P2

Possible ATT&CK Techniques 1AI

T1528 · Steal Application Access Token
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53512

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Source: NVD (National Vulnerability Database)
Vulnerability Description
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
better-authbetter-auth < 1.6.11 -

II. Public POCs for CVE-2026-53512

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53512

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53512 (1)

Vendor Advisories for CVE-2026-53512 (1)

Vendor Pages for CVE-2026-53512 (1)

Same Patch Batch · better-auth · 2026-07-15 · 8 CVEs total

CVE-2026-535139.6 CRITICALBetter Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/ss
CVE-2026-535168.3 HIGHBetter Auth: Account takeover via OAuth auto-link to unverified pre-registered email
CVE-2026-535178.1 HIGHBetter Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay
CVE-2026-535147.7 HIGHBetter Auth: Unauthorized invitation acceptance via unverified email match in organization
CVE-2026-453377.6 HIGHBetter Auth: Device authorization approve and deny accept any authenticated session while
CVE-2026-535157.1 HIGHBetter Auth: Privilege escalation via SSO provider registration: missing admin role check
CVE-2026-53518Better Auth OAuth Provider: Race Condition in Authorization Code Exchange Enables Multi-Us

IV. Related Vulnerabilities

V. Comments for CVE-2026-53512

No comments yet


Leave a comment