Description
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorization_code grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two concurrent requests to pass the read step and mint independent access tokens, refresh tokens, and ID tokens; legacy /oauth2/token and /mcp/token paths in oidc-provider and mcp plugins share the same primitive. This issue is fixed in version 1.6.11.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-7w99-5wm4-3g79 | @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive |
References
History
Wed, 15 Jul 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Better-auth
Better-auth better Auth |
|
| Vendors & Products |
Better-auth
Better-auth better Auth |
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorization_code grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two concurrent requests to pass the read step and mint independent access tokens, refresh tokens, and ID tokens; legacy /oauth2/token and /mcp/token paths in oidc-provider and mcp plugins share the same primitive. This issue is fixed in version 1.6.11. | |
| Title | Better Auth OAuth Provider: Race Condition in Authorization Code Exchange Enables Multi-Use Code Redemption | |
| Weaknesses | CWE-362 CWE-367 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T18:07:49.190Z
Reserved: 2026-06-09T17:30:33.456Z
Link: CVE-2026-53518
Updated: 2026-07-15T18:07:45.571Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:15:15Z
Github GHSA