CVE-2026-53517 in better-auth
Summary
by MITRE • 07/15/2026
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refresh_token grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh token to pass the revoked check and create forked refresh-token families; the vulnerable range also includes embedded better-auth plugin versions before 1.6.0. This issue is fixed in version 1.6.11.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability exists within the @better-auth/oauth-provider library where the POST /oauth2/token endpoint handles refresh token operations through a non-atomic sequence that creates a race condition in the authentication flow. This flaw affects versions from 1.4.8-beta.7 through 1.6.11, including embedded plugin versions prior to 1.6.0, creating a significant security risk in authorization systems relying on this library.
The technical implementation suffers from a classic race condition pattern where multiple concurrent requests attempting to refresh tokens with the same parent refresh token can bypass the revocation check due to the lack of atomic operations. The sequence involves reading the current state of the oauthRefreshToken row, validating the token, revoking it, and then minting a new one without proper synchronization mechanisms. This non-atomic approach allows multiple requests to read the same unrevoked token state simultaneously, enabling them to all pass validation and create separate token families that can operate independently.
This vulnerability directly maps to CWE-362, Concurrent Execution using Shared Resource with Unprotected Shared Data, and aligns with ATT&CK technique T1548.002 for privilege escalation through legitimate credentials. The impact of this flaw extends beyond simple authentication bypass as it creates token lineage confusion where an attacker could potentially maintain access through multiple token families derived from a single compromised refresh token. The concurrent nature means that any session hijacking or unauthorized access attempts leveraging this vulnerability could result in persistent unauthorized access.
The operational implications are severe for systems using this library, as the vulnerability allows for token replay attacks and creates multiple valid token chains from a single source. Attackers can exploit this by flooding the endpoint with concurrent refresh requests immediately after a legitimate refresh token is used, causing the system to generate multiple valid token families that all remain functional. Organizations implementing better-auth in their applications must consider this as a critical vulnerability affecting session management and access control mechanisms.
Mitigation strategies include upgrading to version 1.6.11 or later where atomic operations have been implemented for refresh token handling. System administrators should also implement additional monitoring for unusual refresh token activity patterns and consider rate limiting on the /oauth2/token endpoint to reduce the effectiveness of concurrent request exploitation. The fix addresses the core race condition by ensuring that read-validate-revoke-mint operations occur atomically, preventing multiple concurrent requests from interfering with each other's token state modifications. Organizations should also review their token lifecycle management policies and implement proper token invalidation mechanisms to minimize potential impact from similar vulnerabilities in other components.