GHSA-7w99-5wm4-3g79: @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
Summary
A security flaw in @better-auth/oauth-provider allows two token requests sent at the same time to both redeem a single authorization code (a temporary token that should only work once), bypassing OAuth security rules. The vulnerability affects versions 1.6.0 through 1.6.10, and similar issues exist in the legacy plugins from better-auth versions 1.4.8-beta.7 through 1.6.0.
Solution / Mitigation
Upgrade to @better-auth/oauth-provider@1.6.11 or later, or upgrade better-auth to 1.6.11 or later if using the legacy plugin paths. The fix replaces the unsafe find-then-delete sequence with an atomic claim-and-return primitive (consumeVerificationValue) that ensures only the first request successfully claims the authorization code, causing concurrent requests to receive an invalid_grant error instead.
Vulnerability Details
EPSS: 0.0%
Yes
July 7, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-7w99-5wm4-3g79
First tracked: July 7, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%