Am I affected? Users are affected if all of the following are true: Their project depends on @better-auth/oauth-provider at a version >= 1.6.0, = 1.4.8-beta.7, , discarding the row count surfaced by adapter.deleteMany,…
| CVE ID | CVE-2026-53518 |
| Vendor | npm |
| Affected Product | @better-auth/oauth-provider |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.1 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
@better-auth/oauth-provider at a version >= 1.6.0, = 1.4.8-beta.7, , discarding the row count surfaced by adapter.deleteMany, so no call site can detect "another caller already claimed this row". The fix lands at the primitive layer rather than at any individual call site. The fix introduces a claimVerificationByIdentifier primitive at the internal-adapter layer that performs an atomic claim-and-return, replaces the find-then-delete pair at this call site, and migrates the highest-impact variant sites in the same release.@better-auth/oauth-provider@1.6.11 and better-auth@1.6.11 for the legacy oidc-provider and mcp plugin paths. All three token-exchange caSigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.