HomeCVE Intelligence › CVE-2026-53517
CVSS 8.1 HIGH Vulnerability

CVE-2026-53517: Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption

Am I affected? Users are affected if all of the following are true: Their project depends on @better-auth/oauth-provider at a version >= 1.6.0, = 1.4.8-beta.7, < 1.6.0. At least one OAuth client served by their applicat…

8.1CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-53517
Vendornpm
Affected Product@better-auth/oauth-provider
Vulnerability TypeVulnerability
CVSS Score8.1 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Am I affected? Users are affected if all of the following are true: - Their project depends on @better-auth/oauth-provider at a version >= 1.6.0, = 1.4.8-beta.7, < 1.6.0.

• At least one OAuth client served by their application's authorization server requests the offline_access scope, so refresh tokens are minted.
• Concurrent redemption of the same refresh token is reachable: an SPA shares one refresh token across browser tabs without a mutex, a mobile client retries after a transient failure, an attacker who has stolen a refresh token times two requests, or a service worker queues offline requests. If developer applications do not request offline_access for any client, no refresh tokens are minted and they are not exposed. Fix: 1. Upgrade to `@better-auth/oauth-provider@1.6.11

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-53517 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence