CVE-2026-53517
better-auth · better-auth
Better-auth contains race condition vulnerabilities, specifically CWE-362 and CWE-367, which may allow authenticated users to compromise authentication and authorization integrity.
Executive summary
The better-auth library contains critical race condition vulnerabilities that could allow an authenticated attacker to manipulate authentication or authorization states, posing a high risk to system integrity.
Vulnerability
The library is susceptible to race conditions (CWE-362 and CWE-367) involving improper synchronization of shared resources. These flaws require the attacker to have low-level authenticated access to trigger the race condition during authentication or authorization processes.
Business impact
Successful exploitation of these race conditions allows an authenticated attacker to bypass intended authorization checks or manipulate authentication tokens. Given the CVSS score of 8.1, this vulnerability poses a significant risk of unauthorized privilege escalation or account takeover. Such compromises can lead to severe data breaches, unauthorized access to sensitive administrative functions, and the complete loss of trust in the authentication provider.
Remediation
Immediate Action: Update the better-auth package to version 1.6.0 and the @better-auth/oauth-provider package to version 1.6.11 or later.
Proactive Monitoring: Review application access logs for unusual patterns in authentication requests or concurrent session creation attempts that may suggest race condition exploitation.
Compensating Controls: Ensure that downstream applications using this library implement robust secondary authorization checks where possible to mitigate the impact of potential authentication bypasses.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The presence of race condition vulnerabilities in an authentication library is highly critical due to the potential for widespread account and session compromise. Organizations utilizing better-auth must prioritize the update to the specified fixed versions immediately. Failure to patch these components leaves the entire authentication flow vulnerable to manipulation by authenticated attackers.