Auth bypass in Better-auth

CVE-2026-53512

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshTo…

Vulnerability class: Broken Authentication

Affected products

Weakness classification (CWE)

References