95 matches found
CVE-2026-53517
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refreshtoken grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing...
CVE-2026-53518
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorizationcode grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two...
CVE-2026-53512
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refreshtoken grant authenticates only possession of the bound refreshToken row and matching clientid, without verifying the...
CVE-2026-53516
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth's OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts emailverified: true without requiring the local user row's emailVerified...
CVE-2026-45337
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny...
EUVD-2026-44745
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refreshtoken grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing...
CVE-2026-45337
Better Auth (TypeScript library) vulnerability CVE-2026-45337 affects versions 1.6.0–1.6.10 in the deviceAuthorization plugin. The root cause is that the verification path does not claim ownership of the pending device code and the approve/deny checks short-circuit when userId is unset, allowing ...
EUVD-2026-44740
Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row a...
CVE-2026-53518
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorizationcode grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two...
CVE-2026-53518 Better Auth OAuth Provider: Race Condition in Authorization Code Exchange Enables Multi-Use Code Redemption
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorizationcode grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two...
EUVD-2026-44733
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin's POST /sso/register and POST /sso/update-provider endpoints accept attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs when skipDiscovery: tru...
CVE-2026-53513
CVE-2026-53513 affects the @better-auth/sso plugin for Better Auth. When skipDiscovery: true is set, POST /sso/register and POST /sso/update-provider may store attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs without origin validation, leading to server-side r...
CVE-2026-53516
Summary: CVE-2026-53516 affects Better Auth (
CVE-2026-53516 Better Auth: Account takeover via OAuth auto-link to unverified pre-registered email
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth's OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts emailverified: true without requiring the local user row's emailVerified...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through a race condition in the authorizationcode grant handler. An attacker can obtain multiple valid access...
Insufficient Session Expiration
Overview @better-auth/oauth-provider is an An oauth provider plugin for Better Auth Affected versions of this package are vulnerable to Insufficient Session Expiration through the POST /oauth2/token endpoint during the refresh token granting. An attacker can gain unauthorized access by exploiting...
Insufficient Session Expiration
Overview @better-auth/memory-adapter is a Memory adapter for Better Auth Affected versions of this package are vulnerable to Insufficient Session Expiration through the POST /oauth2/token endpoint during the refresh token granting. An attacker can gain unauthorized access by exploiting a race...
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
Am I affected? Users are affected if all of the following are true: - Their project depends on @better-auth/oauth-provider at a version = 1.6.0, = 1.4.8-beta.7, 1.6.0. - At least one OAuth client served by their application's authorization server requests the offlineaccess scope, so refresh token...
NPM: Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
NPM: Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email vulnerability discovered by ? in WordPress Npm better-auth versions 1.6.11...
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
Am I affected? Users are affected if all of the following are true: - Their application uses better-auth at a version 1.6.11 on the stable line, or any current next pre-release. - emailAndPassword.enabled: true is set in their application's betterAuth ... configuration. - At least one OAuth or SS...