Understanding the OAuth Refresh-Token Rotation Vulnerability in Better Auth
This educational analysis covers a critical vulnerability in the Better Auth library, specifically in its OAuth refresh-token rotation mechanism. The vulnerability, identified as CVE-2026-53517, allows an attacker to fork a refresh-token family from a single parent token, leading to indefinite access. We will delve into the root cause, attack surface, exploitation mechanics, real-world impact, and defensive strategies.