CVE-2026-53517 in better-authinformación

Resumen

por MITRE • 2026-07-15

Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refresh_token grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh token to pass the revoked check and create forked refresh-token families; the vulnerable range also includes embedded better-auth plugin versions before 1.6.0. This issue is fixed in version 1.6.11.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Responsable

GitHub M

Reservar

2026-06-09

Divulgación

2026-07-15

Moderación

aceptado

Artículo

VDB-379355

CPE

listo

EPSS

0.00000

KEV

no

Actividades

muy bajo

Fuentes

Want to stay up to date on a daily basis?

Enable the mail alert feature now!