External risk intelligence

Better Auth OAuth Token Endpoints Allow Unauthenticated Access to Access Tokens

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-53512

The vulnerability resides in OAuth token endpoints (/api/auth/oauth2/token and /api/auth/mcp/token) provided by an authentication library. These endpoints are designed to be public-facing to facilitate authentication flows for web applications and APIs, making them directly accessible over the internet in standard deployments.

Authentication Bypass

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical security vulnerability in the Better Auth library, which handles authentication and authorization for TypeScript applications. Specifically, certain plugins within the library were found to improperly authenticate OAuth token requests. This could allow an attacker to potentially mint new access tokens, even without possessing all the necessary credentials, by exploiting a flaw in how refresh tokens are verified. The main concern is confirming if our systems utilize the affected components.

  • Authentication flaw in token handling.
  • Confirms potential for unauthorized token minting.
  • Assess relevance and exposure to affected components.

Attack Path

How an attacker could exploit the issue

An attacker could gain unauthorized access by exploiting a weakness in the authentication library's token endpoints. If an attacker possesses a valid refresh token and the correct client ID, they can bypass security checks to issue new access tokens and refresh tokens. This could allow them to impersonate legitimate users or gain elevated privileges within the system.

  • Requires a valid refresh token.
  • Targets token issuance endpoints.
  • Allows access token minting.

Live Threat

Current exploitation, exposure, and threat context

An attacker could exploit this vulnerability to mint unauthorized access and refresh tokens by posing as a legitimate user. This is possible when the legacy oidcProvider and mcp plugins are used, allowing them to bypass authentication controls and potentially gain access to protected resources.

  • Authentication tokens and system access.
  • Malicious token minting via exposed endpoints.
  • Unauthorized access to protected resources.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for securing authentication flows, such as application owners or platform teams, should prioritize this issue. The first practical step is to identify all instances of the affected authentication library, determine their reachability and business criticality, and confirm the accountable owner. Once identified and assessed, a remediation plan can be developed based on the associated risk.

  • Application or platform teams own the issue.
  • Verify library usage and token endpoint exposure.
  • Plan remediation based on exposure and criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Better Auth?

Better Auth is an authentication and authorization library built for TypeScript applications. Developers use it to manage user login sessions, identity verification, and access controls. It provides modular components, including plugins for handling complex identity protocols like OAuth, to simplify securing modern web backends.

How does CVE-2026-53512 cause a security flaw?

This vulnerability, related to improper authentication (CWE-287) and missing authorization (CWE-863), occurs because specific legacy plugins fail to verify the confidential client secret. Instead of requiring a full credential check, the system only validates the refresh token and client ID. This weakness allows an attacker to bypass standard security gates and mint new access and refresh tokens.

Do I need a special credential to trigger CVE-2026-53512?

Yes, an attacker must already possess a valid refresh token and the corresponding client ID to trigger this flaw. The issue specifically impacts the legacy oidcProvider and mcp plugins. Importantly, if your application utilizes the @better-auth/oauth-provider package, you are not affected by this specific token endpoint vulnerability.

How do I know if my system is at risk?

According to Halo Surface Signal, this vulnerability resides in OAuth token endpoints designed to be public-facing to facilitate authentication flows. Because these endpoints are typically accessible over the internet to serve web applications, any instance of the affected Better Auth legacy plugins is considered high-relevance for review.

What is the first step to fix this?

You should immediately identify where the affected Better Auth plugins are deployed within your codebase. Once these instances are located, verify their business criticality and update your library to version 1.6.11 or later. Updating ensures the token issuance process correctly enforces client secret verification, closing the unauthorized token minting path.

References