CVE-2026-53518: @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption
A vulnerability in @better-auth/oauth-provider allows concurrent redemption of OAuth authorization codes, potentially leading to multiple independent token sets being issued from a single authorization code. Users of @better-auth/oauth-provider versions >= 1.6.0, < 1.6.11 are affected. Upgrade to @better-auth/[email protected] or later to mitigate.