2 matches found
CVE-2026-53517
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refreshtoken grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing...
CVE-2026-53517
CVE-2026-53517 affects Better Auth’s oauth-provider (and related memory adapter) prior to version 1.6.11. The POST /oauth2/token refresh_token flow performs a non-atomic read–validate–revoke–mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh toke...