Doorkeeper Improper Authentication vulnerability
Description
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to version 5.6.6, Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. This issue is fixed in version 5.6.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Doorkeeper before 5.6.6 automatically processes OAuth authorization requests without re-prompting for user consent for public clients, enabling potential impersonation.
Vulnerability
Doorkeeper prior to version 5.6.6 automatically processes authorization requests without re-prompting for user consent for public clients that have been previously approved [1]. This behavior is problematic because, as noted in RFC 8252, public clients (e.g., native apps) cannot reliably prove their identity, making them inherently vulnerable to impersonation [1]. The underlying issue is that Doorkeeper did not differentiate between confidential and public clients when determining whether to skip consent for previously approved applications [2].
Exploitation
An attacker can exploit this by impersonating a legitimate public client, such as a native mobile application. If the victim user has previously authorized the legitimate client, Doorkeeper will automatically approve the attacker's authorization request without any user interaction [2]. The attacker only needs to know the client_id and a valid redirect URI to initiate the attack. No additional authentication or user consent is required at the time of attack.
Impact
Successful exploitation allows the attacker to obtain an authorization code or access token, thereby gaining access to the user's protected resources via the OAuth 2.0 protocol [3]. This can lead to unauthorized data access or actions on behalf of the user, potentially compromising sensitive information.
Mitigation
The issue is fixed in Doorkeeper version 5.6.6 [4]. All users are advised to upgrade to this version or later. There is no known workaround for earlier versions. Administrators should review their OAuth client registrations and ensure that public clients are configured appropriately, but upgrading is the primary remedy.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
doorkeeperRubyGems | < 5.6.6 | 5.6.6 |
Affected products
2- doorkeeper-gem/doorkeeperv5Range: < 5.6.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-7w2c-w47h-789wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-34246ghsaADVISORY
- github.com/doorkeeper-gem/doorkeeper/issues/1589ghsax_refsource_MISCWEB
- github.com/doorkeeper-gem/doorkeeper/pull/1646ghsax_refsource_MISCWEB
- github.com/doorkeeper-gem/doorkeeper/releases/tag/v5.6.6ghsax_refsource_MISCWEB
- github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789wghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/doorkeeper/CVE-2023-34246.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2023/07/msg00016.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2024/12/msg00010.htmlghsaWEB
- www.rfc-editor.org/rfc/rfc8252ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.