Doorkeeper OAuth Gem Exposes Critical Security Flaws: 5 Vulnerabilities, Including High-Severity CVE-2026-33176

A critical security alert has been raised for the widely used Doorkeeper OAuth 2.0 provider gem for Ruby on Rails. Version 5.8.2 of the `doorkeeper` gem contains five distinct vulnerabilities, with the highest severity rated at 7.5 on the CVSS scale. This exposure was identified within the dependency chain of the `intercode` project on GitHub, pinpointing a vulnerable library path and a specific commit where the flaw was introduced. The presence of these vulnerabilities in a core authentication component creates a direct pathway for potential exploitation in any application relying on this version for OAuth services.

The most severe issue is tracked as CVE-2026-33176, a high-severity vulnerability. The security scan details that the vulnerable library was found via the project's `Gemfile.lock`, with the path tracing back to a cached gem file. While the specific technical details of the five vulnerabilities are not fully disclosed in this report, the presence of a CVSS score of 7.5 indicates a significant risk that could lead to unauthorized access or data compromise. The report notes that remediation is possible, implying that fixes are available in later versions of the Doorkeeper library.

This discovery places immediate pressure on development teams and organizations using Doorkeeper 5.8.2 or similar versions in their dependency trees. The intercode project's exposure serves as a public case study, but the risk is systemic across the Ruby ecosystem. Maintainers must urgently audit their `Gemfile.lock` files, update to a patched version of Doorkeeper, and review their OAuth implementation's security posture. Failure to patch could leave application authentication layers vulnerable to active exploitation, especially as CVE details become public.