CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53517

highCVSS 8.1covered by 1 sourcefirst seen 2026-07-07
Am I affected? Users are affected if all of the following are true: - Their project depends on @better-auth/oauth-provider at a version >= 1.6.0, < 1.6.11, or uses the embedded plugin in better-auth >= 1.4.8-beta.7, < 1.6.0. - At least one OAuth client served by their application's authorization server requests the offline_access scope, so refresh tokens are minted. - Concurrent redemption of the same refresh token is reachable: an SPA shares one refresh token across browser tabs without a mutex, a mobile client retries after a transient failure, an attacker who has stolen a refresh token times two requests, or a service worker queues offline requests. If developer applications do not request offline_access for any client, no refresh tokens are minted and they are not exposed. Fix: 1. Upgrade to @better-auth/oauth-provider@1.6.11 or later. 2. If developers cannot upgrade, see workarounds below. Summary The OAuth provider's POST /oauth2/token endpoint, on the refresh_token grant, performs a non-atomic read / validate / revoke / mint sequence on the oauthRefreshToken row. Two concurrent requests presenting the same parent refresh token both pass the revocation check before either revoke completes, so each mints a fresh refresh token. The replay-detection branch only fires when revoked is already truthy at read time, which is exactly the state concurrent attackers race past. The result is a forked refresh-token family from a single parent token. Details The adapter.update predicate on the parent row is keyed on id only; it does not include revoked IS NULL, so two concurrent updates both succeed (last-write-wins, no error path). The schema does not declare unique on oauthRefreshToken.token, so concurrent creates do not collide on a unique-key violation either. RFC 9700 §4.14 (OAuth Security Best Current Practice) prescribes refresh-token family invalidation on detected reuse; this implementation tries to enforce that contract through the revoked check, but the

⚡ Watch CVE-2026-53517

Get an email if CVE-2026-53517 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53517

CVE.org record

Embed the live status

CVE-2026-53517 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53517 status](https://www.csirts.com/badge/CVE-2026-53517)](https://www.csirts.com/cve/CVE-2026-53517)