PT-2026-56297 · Unknown · Better Auth

Published

2026-07-07

·

Updated

2026-07-08

·

CVE-2026-53512

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions better-auth versions prior to 1.6.11
Description The legacy oidcProvider and mcp plugins expose an OAuth 2.0 token endpoint that fails to authenticate confidential clients during the refresh token grant. The system authenticates requests based solely on the possession of a bound refreshToken and a matching client id, omitting the verification of the registered confidential client's client secret. This allows an attacker who obtains a valid refresh token and the public client id to indefinitely mint new access tokens and rotated refresh tokens, maintaining unauthorized access to resources within the user's authorized scope.
Additionally, the mcp plugin contains two related issues: the authorization code grant uses raw equality for client-secret comparison, ignoring encryption or hashing configurations, and the /mcp/token endpoint implements an overly permissive CORS policy by setting Access-Control-Allow-Origin: *, which increases the risk of exploitation in browser contexts.
Recommendations Upgrade to better-auth version 1.6.11 or later. Migrate from the deprecated oidcProvider() to @better-auth/oauth-provider to ensure client authentication is enforced on all grants. As a temporary workaround, force all clients to be public by setting type: "public" and requiring PKCE. Restrict network-layer ingress for the /api/auth/oauth2/token and /api/auth/mcp/token endpoints to known client IP addresses. For the mcp endpoint, replace the wildcard CORS header with a strict allowlist at an upstream proxy. In the event of a suspected leak, invalidate all refresh tokens for the affected client by deleting the corresponding entries in the oauthAccessToken table.

Fix

Insufficient Verification of Data Authenticity

Improper Authentication

Missing Authentication

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53512
GHSA-PW9M-5JXM-XR6H

Affected Products

Better Auth