Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refreshtoken grant authenticates only possession of the bound refreshToken row and matching clientid, without verifying the confidential client's clientsecret, allowing an attacker with a valid refreshtoken to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.
{
"cwe_ids": [
"CWE-287",
"CWE-306",
"CWE-345",
"CWE-863"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53512.json",
"cna_assigner": "GitHub_M"
}