PatchSiren cyber security CVE debrief
CVE-2026-53512 better-auth CVE debrief
CVE-2026-53512 is a critical vulnerability in Better Auth, a TypeScript authentication and authorization library. The vulnerability affects versions prior to 1.6.11 and allows an attacker with a valid refresh token to mint access tokens and rotated refresh tokens without verifying the confidential client's client secret. This issue can have significant operational impact, as it could allow unauthorized access to sensitive information. The vulnerability is caused by the legacy oidcProvider and mcp plugins exposing OAuth token endpoints that authenticate only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret.
- Vendor
- better-auth
- Product
- Unknown
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-18
Who should care
Users of Better Auth library, especially those using versions prior to 1.6.11, should be aware of this vulnerability and take immediate action to upgrade to the latest version. This vulnerability may impact organizations that rely on Better Auth for authentication and authorization, potentially exposing sensitive information. Affected operators, platforms, and security teams should review the vulnerability details and plan for remediation.
Technical summary
The vulnerability is caused by the legacy oidcProvider and mcp plugins exposing OAuth token endpoints that authenticate only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret. This allows an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. The vulnerability has a CVSS score of 9.1 and is considered critical.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 1.6.11 or later
- Review and update authentication and authorization configurations
- Monitor for suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-15T18:16:47.420Z and was last modified on 2026-07-18T02:17:09.780Z. The NVD entry is currently Undergoing Analysis. This information is based on the provided source corpus and may be subject to change as more information becomes available. Users should verify the status of the vulnerability and the affected products to ensure accurate risk assessment.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T18:16:47.420Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.