From f4c4677b26ddb94f0b7388c2cde3f9095a50a5bf Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Thu, 4 Jun 2026 12:30:05 -0400
Subject: [PATCH] GHSA/SYNC: 1 new advisory

---
 .../CVE-2026-44476.yml                        | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 gems/doorkeeper-openid_connect/CVE-2026-44476.yml

diff --git a/gems/doorkeeper-openid_connect/CVE-2026-44476.yml b/gems/doorkeeper-openid_connect/CVE-2026-44476.yml
new file mode 100644
index 0000000000..f3dcb862c4
--- /dev/null
+++ b/gems/doorkeeper-openid_connect/CVE-2026-44476.yml
@@ -0,0 +1,59 @@
+---
+gem: doorkeeper-openid_connect
+cve: 2026-44476
+ghsa: m6vc-f87m-cc2h
+url: https://www.cve.org/CVERecord?id=CVE-2026-44476
+title: Dynamic Client Registration feature creates public clients
+  with client_secret
+date: 2026-06-04
+description: |
+  ### Impact
+
+  The `DynamicClientRegistrationController#register` action hard-codes
+  `confidential: false` when creating applications
+  (dynamic_client_registration_controller.rb:18-25), yet the response
+  includes a client_secret and advertises `token_endpoint_auth_methods_supported:
+  ["client_secret_basic", "client_secret_post"]`.
+
+  Because Doorkeeper's `Application.by_uid_and_secret` treats a
+  blank/missing secret as valid for non-confidential (public) clients, an
+  attacker who knows only the client_id (which is public information)
+  can authenticate as the dynamically-registered client at the token endpoint.
+
+  **Note** that Dynamic Client Registration is opt-in feature which is
+  disabled by default so only projects that explicitly enabled it are affected.
+
+  **Steps to Reproduce**
+
+  1. Enable dynamic client registration in the initializer
+  2. POST /oauth/registration with client_name, redirect_uris, and scope
+  3. Observe: response returns client_secret, but the created
+     Doorkeeper::Application has confidential: false
+  4. Call `Doorkeeper::Application.by_uid_and_secret(client_id, nil)` — it
+     returns the application (credentials bypass)
+  5. POST /oauth/token with grant_type=client_credentials and only
+     client_id (no client_secret) — the token endpoint issues an access token
+     without any secret verification
+
+  ### Workarounds
+
+  Upgrade existing applications created with a Dynamic Client registration
+  to have `confidential: true`
+cvss_v3: 6.3
+unaffected_versions:
+  - "< 1.9.0"
+patched_versions:
+  - ">= 1.10.0"
+related:
+  url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44476
+    - https://rubygems.org/gems/doorkeeper-openid_connect/versions/1.10.0
+    - https://github.com/doorkeeper-gem/doorkeeper-openid_connect/releases/tag/v1.10.0
+    - https://github.com/doorkeeper-gem/doorkeeper-openid_connect/security/advisories/GHSA-m6vc-f87m-cc2h
+    - https://github.com/advisories/GHSA-m6vc-f87m-cc2h
+notes: |
+  - Looking for CVE reference:
+    - https://www.cve.org/CVERecord?id=CVE-2026-44476 (reserved)
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-44476 (not found)
+    - https://cve.report/search.php?search=CVE-2026-44476 (not listed)
+    - https://www.cvedetails.com/index.php (not found; no URL parameter)