RubyGems package
doorkeeper-openid_connect
pkg:gem/doorkeeper-openid_connect
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44476 | — | >= 1.9.0, < 1.10.0 | 1.10.0 | Jun 4, 2026 | ### Impact The `DynamicClientRegistrationController#register` action hard-codes `confidential: false` when creating applications (dynamic_client_registration_controller.rb:18-25), yet the response includes a client_secret and advertises `token_endpoint_auth_methods_supported: [" | ||
| CVE-2019-9837 | — | >= 1.4.0, < 1.5.4 | 1.5.4 | Mar 15, 2019 | Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in an OAuth authorization request (that results in an error response) with the 'openid' scope and a prompt=none value. This all |
- CVE-2026-44476Jun 4, 2026affected >= 1.9.0, < 1.10.0fixed 1.10.0
### Impact The `DynamicClientRegistrationController#register` action hard-codes `confidential: false` when creating applications (dynamic_client_registration_controller.rb:18-25), yet the response includes a client_secret and advertises `token_endpoint_auth_methods_supported: ["
- CVE-2019-9837Mar 15, 2019affected >= 1.4.0, < 1.5.4fixed 1.5.4
Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in an OAuth authorization request (that results in an error response) with the 'openid' scope and a prompt=none value. This all