PT-2026-56297 · Unknown · Better Auth
Published
2026-07-07
·
Updated
2026-07-08
·
CVE-2026-53512
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
better-auth versions prior to 1.6.11
Description
The legacy
oidcProvider and mcp plugins expose an OAuth 2.0 token endpoint that fails to authenticate confidential clients during the refresh token grant. The system authenticates requests based solely on the possession of a bound refreshToken and a matching client id, omitting the verification of the registered confidential client's client secret. This allows an attacker who obtains a valid refresh token and the public client id to indefinitely mint new access tokens and rotated refresh tokens, maintaining unauthorized access to resources within the user's authorized scope.Additionally, the
mcp plugin contains two related issues: the authorization code grant uses raw equality for client-secret comparison, ignoring encryption or hashing configurations, and the /mcp/token endpoint implements an overly permissive CORS policy by setting Access-Control-Allow-Origin: *, which increases the risk of exploitation in browser contexts.Recommendations
Upgrade to better-auth version 1.6.11 or later.
Migrate from the deprecated
oidcProvider() to @better-auth/oauth-provider to ensure client authentication is enforced on all grants.
As a temporary workaround, force all clients to be public by setting type: "public" and requiring PKCE.
Restrict network-layer ingress for the /api/auth/oauth2/token and /api/auth/mcp/token endpoints to known client IP addresses.
For the mcp endpoint, replace the wildcard CORS header with a strict allowlist at an upstream proxy.
In the event of a suspected leak, invalidate all refresh tokens for the affected client by deleting the corresponding entries in the oauthAccessToken table.Fix
Insufficient Verification of Data Authenticity
Improper Authentication
Missing Authentication
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Better Auth