CVE-2026-47386

Two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access token, refresh token) pair, breaking the single-use guarantee that PKCE relies on.

The token-exchange flow read is used and called markAsUsed as an unconditional update at the end of the path. A new OAuthAuthorizationCode.claimByCode method now performs an atomic compare-and-swap (WHERE code = ? AND is used = false) and is called immediately before OAuthToken.insert, after redirect-URI, PKCE, and client authentication have all succeeded. Only the first concurrent caller's UPDATE wins; the rest see invalid grant: Authorization code has already been used.

An attacker who has observed an authorization code and the corresponding PKCE verifier (for example through a malicious OAuth-aware client or by racing a real exchange) could obtain a long-lived refresh token in addition to the legitimate one.

This issue was reported by @eddieran.