-
-
Notifications
You must be signed in to change notification settings - Fork 236
Expand file tree
/
Copy pathCVE-2026-44476.yml
More file actions
60 lines (53 loc) · 2.56 KB
/
Copy pathCVE-2026-44476.yml
File metadata and controls
60 lines (53 loc) · 2.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
---
gem: doorkeeper-openid_connect
cve: 2026-44476
ghsa: m6vc-f87m-cc2h
url: https://www.cve.org/CVERecord?id=CVE-2026-44476
title: Dynamic Client Registration feature creates public clients
with client_secret
date: 2026-06-04
description: |
### Impact
The `DynamicClientRegistrationController#register` action hard-codes
`confidential: false` when creating applications
(dynamic_client_registration_controller.rb:18-25), yet the response
includes a client_secret and advertises `token_endpoint_auth_methods_supported:
["client_secret_basic", "client_secret_post"]`.
Because Doorkeeper's `Application.by_uid_and_secret` treats a
blank/missing secret as valid for non-confidential (public) clients, an
attacker who knows only the client_id (which is public information)
can authenticate as the dynamically-registered client at the token endpoint.
**Note** that Dynamic Client Registration is opt-in feature which is
disabled by default so only projects that explicitly enabled it are affected.
**Steps to Reproduce**
1. Enable dynamic client registration in the initializer
2. POST /oauth/registration with client_name, redirect_uris, and scope
3. Observe: response returns client_secret, but the created
Doorkeeper::Application has confidential: false
4. Call `Doorkeeper::Application.by_uid_and_secret(client_id, nil)` — it
returns the application (credentials bypass)
5. POST /oauth/token with grant_type=client_credentials and only
client_id (no client_secret) — the token endpoint issues an access token
without any secret verification
### Workarounds
Upgrade existing applications created with a Dynamic Client registration
to have `confidential: true`
cvss_v3: 6.3
unaffected_versions:
- "< 1.9.0"
patched_versions:
- ">= 1.10.0"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44476
- https://rubygems.org/gems/doorkeeper-openid_connect/versions/1.10.0
- https://github.com/doorkeeper-gem/doorkeeper-openid_connect/releases/tag/v1.10.0
- https://advisories.gitlab.com/gem/doorkeeper-openid_connect/CVE-2026-44476
- https://github.com/doorkeeper-gem/doorkeeper-openid_connect/security/advisories/GHSA-m6vc-f87m-cc2h
- https://github.com/advisories/GHSA-m6vc-f87m-cc2h
notes: |
- Looking for CVE reference:
- https://www.cve.org/CVERecord?id=CVE-2026-44476 (reserved)
- https://nvd.nist.gov/vuln/detail/CVE-2026-44476 (not found)
- https://cve.report/search.php?search=CVE-2026-44476 (not listed)
- https://www.cvedetails.com/index.php (not found; no URL parameter)