PT-2026-46299 · Rubygems · Doorkeeper::Openidconnect
Published
2026-06-04
·
Updated
2026-06-04
·
CVE-2026-44476
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Impact
The
DynamicClientRegistrationController#register action hard-codes confidential: false when creating applications (dynamic client registration controller.rb:18-25), yet the response includes a client secret and advertises token endpoint auth methods supported: ["client secret basic", "client secret post"].Because Doorkeeper's
Application.by uid and secret treats a blank/missing secret as valid for non-confidential (public) clients, an
attacker who knows only the client id (which is public information) can authenticate as the dynamically-registered client at the token endpoint.Note that Dynamic Client Registration is opt-in feature which is disabled by default so only projects that explicitly enabled it are affected.
Steps to Reproduce
- Enable dynamic client registration in the initializer
- POST /oauth/registration with client name, redirect uris, and scope
- Observe: response returns client secret, but the created Doorkeeper::Application has confidential: false
- Call
Doorkeeper::Application.by uid and secret(client id, nil)— it returns the application (credentials bypass) - POST /oauth/token with grant type=client credentials and only client id (no client secret) — the token endpoint issues an access token without any secret verification
Patches
Patched in 1.10.0
Workarounds
Upgrade existing applications created with a Dynamic Client registration to have
confidential: trueFix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Doorkeeper::Openidconnect