{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/better-auth--1.6.11/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["better-auth (\u003c 1.6.11)"],"_cs_severities":["critical"],"_cs_tags":["oauth","authentication-bypass","vulnerability","web","better-auth"],"_cs_type":"advisory","_cs_vendors":["better-auth"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-53512, has been identified in the \u003ccode\u003ebetter-auth\u003c/code\u003e library, affecting applications using the deprecated \u003ccode\u003eoidcProvider()\u003c/code\u003e or \u003ccode\u003emcp()\u003c/code\u003e plugins in versions prior to \u003ccode\u003e1.6.11\u003c/code\u003e. This flaw stems from a missing client authentication step during the OAuth 2.0 \u003ccode\u003erefresh_token\u003c/code\u003e grant for confidential clients. Unlike the \u003ccode\u003eauthorization_code\u003c/code\u003e grant, these plugins failed to verify the \u003ccode\u003eclient_secret\u003c/code\u003e, enabling an attacker to replay a stolen \u003ccode\u003erefresh_token\u003c/code\u003e and its corresponding public \u003ccode\u003eclient_id\u003c/code\u003e to repeatedly mint new access tokens. The attacker can gain indefinite access to resources with the user's original authorized scope, as token rotation refreshes the expiration window with each call. This significantly impacts any \u003ccode\u003ebetter-auth\u003c/code\u003e application configured with confidential OAuth clients using the vulnerable plugins.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Credential Acquisition:\u003c/strong\u003e An attacker obtains a valid \u003ccode\u003erefresh_token\u003c/code\u003e and the associated public \u003ccode\u003eclient_id\u003c/code\u003e for a confidential OAuth client. This could occur through various methods such as a database breach, log file capture, browser-side Cross-Site Scripting (XSS), or via a CORS-amplified script if exploiting the \u003ccode\u003emcp\u003c/code\u003e endpoint with its wildcard \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation of Missing Authentication:\u003c/strong\u003e The attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the vulnerable OAuth 2.0 token endpoint (e.g., \u003ccode\u003e/api/auth/oauth2/token\u003c/code\u003e or \u003ccode\u003e/api/auth/mcp/token\u003c/code\u003e) using the stolen \u003ccode\u003erefresh_token\u003c/code\u003e and \u003ccode\u003eclient_id\u003c/code\u003e, but crucially, \u003cem\u003ewithout\u003c/em\u003e providing the \u003ccode\u003eclient_secret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eToken Endpoint Bypass:\u003c/strong\u003e Due to the flaw in \u003ccode\u003ebetter-auth\u003c/code\u003e versions prior to 1.6.11, the \u003ccode\u003eoidcProvider\u003c/code\u003e or \u003ccode\u003emcp\u003c/code\u003e plugins do not enforce \u003ccode\u003eclient_secret\u003c/code\u003e verification on the \u003ccode\u003erefresh_token\u003c/code\u003e grant for confidential clients, allowing the unauthenticated request to proceed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Token Minting:\u003c/strong\u003e The vulnerable token endpoint issues a new, valid \u003ccode\u003eaccess_token\u003c/code\u003e to the attacker, along with a rotated \u003ccode\u003erefresh_token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIndefinite Session Prolongation:\u003c/strong\u003e The attacker uses the newly minted \u003ccode\u003erefresh_token\u003c/code\u003e to repeat steps 2-4, effectively resetting the expiration window of the session and gaining indefinite access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access:\u003c/strong\u003e With the valid \u003ccode\u003eaccess_token\u003c/code\u003e, the attacker can impersonate the legitimate client and user, making requests to resource servers to access, modify, or exfiltrate data within the scope of the original user's authorization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-53512 is significant, primarily leading to indefinite confidential-client impersonation. An attacker who has acquired a single \u003ccode\u003erefresh_token\u003c/code\u003e and the corresponding \u003ccode\u003eclient_id\u003c/code\u003e can continuously mint new \u003ccode\u003eaccess_tokens\u003c/code\u003e and rotate \u003ccode\u003erefresh_tokens\u003c/code\u003e, thereby maintaining persistent unauthorized access without further authentication. Each newly issued \u003ccode\u003eaccess_token\u003c/code\u003e carries the original user's authorized scope, granting the attacker the ability to read, write, or otherwise manipulate data on resource servers as if they were the legitimate user. This can result in severe data breaches, unauthorized modifications, and complete compromise of data governed by the affected OAuth client's permissions. The vulnerability affects \u003ccode\u003ebetter-auth\u003c/code\u003e applications leveraging the deprecated \u003ccode\u003eoidcProvider\u003c/code\u003e or \u003ccode\u003emcp\u003c/code\u003e plugins.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade immediately\u003c/strong\u003e to \u003ccode\u003ebetter-auth@1.6.11\u003c/code\u003e or later to apply the official patch for CVE-2026-53512.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMigrate from deprecated plugins\u003c/strong\u003e by transitioning from \u003ccode\u003eoidcProvider()\u003c/code\u003e to the canonical \u003ccode\u003e@better-auth/oauth-provider\u003c/code\u003e package, as it enforces client authentication on all grants by default.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement network-layer ingress restriction\u003c/strong\u003e for \u003ccode\u003e/api/auth/oauth2/token\u003c/code\u003e and \u003ccode\u003e/api/auth/mcp/token\u003c/code\u003e endpoints to known client IPs at the load balancer, which can partially mitigate risk for server-to-server flows.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eForce all clients to public + PKCE\u003c/strong\u003e by setting every client's \u003ccode\u003etype: \u0026quot;public\u0026quot;\u003c/code\u003e and requiring PKCE, thereby eliminating the \u003ccode\u003eclient_secret\u003c/code\u003e for verification where the bug manifests.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFor the mcp endpoint specifically\u003c/strong\u003e, drop the wildcard CORS header at an upstream proxy and replace it with a tight allowlist to prevent CORS-amplified attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T20:15:52Z","date_published":"2026-07-07T20:15:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-better-auth-refresh-token-replay/","summary":"The legacy `oidcProvider` and `mcp` plugins in the `better-auth` library versions prior to 1.6.11 are vulnerable to CVE-2026-53512, an OAuth refresh-token replay attack where the plugins fail to verify the `client_secret` of confidential clients during the `refresh_token` grant, allowing an attacker who obtains a valid `refresh_token` and `client_id` to indefinitely mint new access tokens and impersonate the client for unauthorized resource access.","title":"Better Auth OAuth Refresh Token Replay via Missing Client Authentication (CVE-2026-53512)","url":"https://feed.craftedsignal.io/briefs/2026-07-better-auth-refresh-token-replay/"}],"language":"en","title":"CraftedSignal Threat Feed - Better-Auth (\u003c 1.6.11)","version":"https://jsonfeed.org/version/1.1"}