Skip to content

GHSA/SYNC: 1 new advisory #1101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jasnow wants to merge 1 commit into
base: master
Choose a base branch
from
+59 −0
Open

GHSA/SYNC: 1 new advisory #1101

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions gems/doorkeeper-openid_connect/CVE-2026-44476.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
gem: doorkeeper-openid_connect
cve: 2026-44476
ghsa: m6vc-f87m-cc2h
url: https://www.cve.org/CVERecord?id=CVE-2026-44476
title: Dynamic Client Registration feature creates public clients
with client_secret
date: 2026-06-04
description: |
### Impact

The `DynamicClientRegistrationController#register` action hard-codes
`confidential: false` when creating applications
(dynamic_client_registration_controller.rb:18-25), yet the response
includes a client_secret and advertises `token_endpoint_auth_methods_supported:
["client_secret_basic", "client_secret_post"]`.

Because Doorkeeper's `Application.by_uid_and_secret` treats a
blank/missing secret as valid for non-confidential (public) clients, an
attacker who knows only the client_id (which is public information)
can authenticate as the dynamically-registered client at the token endpoint.

**Note** that Dynamic Client Registration is opt-in feature which is
disabled by default so only projects that explicitly enabled it are affected.

**Steps to Reproduce**

1. Enable dynamic client registration in the initializer
2. POST /oauth/registration with client_name, redirect_uris, and scope
3. Observe: response returns client_secret, but the created
Doorkeeper::Application has confidential: false
4. Call `Doorkeeper::Application.by_uid_and_secret(client_id, nil)` — it
returns the application (credentials bypass)
5. POST /oauth/token with grant_type=client_credentials and only
client_id (no client_secret) — the token endpoint issues an access token
without any secret verification

### Workarounds

Upgrade existing applications created with a Dynamic Client registration
to have `confidential: true`
cvss_v3: 6.3
unaffected_versions:
- "< 1.9.0"
patched_versions:
- ">= 1.10.0"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44476
- https://rubygems.org/gems/doorkeeper-openid_connect/versions/1.10.0
- https://github.com/doorkeeper-gem/doorkeeper-openid_connect/releases/tag/v1.10.0
- https://github.com/doorkeeper-gem/doorkeeper-openid_connect/security/advisories/GHSA-m6vc-f87m-cc2h
- https://github.com/advisories/GHSA-m6vc-f87m-cc2h
notes: |
- Looking for CVE reference:
- https://www.cve.org/CVERecord?id=CVE-2026-44476 (reserved)
- https://nvd.nist.gov/vuln/detail/CVE-2026-44476 (not found)
- https://cve.report/search.php?search=CVE-2026-44476 (not listed)
- https://www.cvedetails.com/index.php (not found; no URL parameter)