PatchSiren cyber security CVE debrief

CVE-2016-6582 Doorkeeper Project CVE debrief

CVE-2016-6582 affects the Doorkeeper gem for Ruby and is rated Critical (CVSS 9.1). The issue is described as a failure to fully implement the OAuth 2.0 Token Revocation specification, which may let a remote attacker conduct replay attacks or revoke arbitrary tokens. The vulnerable range is identified in NVD as Doorkeeper versions up to 4.1.0, with the vendor patch reference pointing to release v4.2.0. Public references date the issue to the CVE publication on 2017-01-23, while the record was later modified on 2026-05-13.

Vendor: Doorkeeper Project
Product: CVE-2016-6582
CVSS: CRITICAL 9.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-23
Original CVE updated: 2026-05-13
Advisory published: 2017-01-23
Advisory updated: 2026-05-13

Who should care

Teams running Ruby applications that use the Doorkeeper gem for OAuth authorization should treat this as a high-priority upgrade issue, especially if the application depends on token revocation for session control, logout flows, or token lifecycle enforcement.

Technical summary

NVD’s record describes a weakness in Doorkeeper’s handling of OAuth 2.0 token revocation. Because revocation behavior did not align with the specification, a remote attacker could potentially replay or revoke tokens that should not have been accepted. The NVD CPE marks Doorkeeper versions through 4.1.0 as vulnerable, and the linked project release v4.2.0 is the associated patch reference. NVD also maps the issue to CWE-254.

Defensive priority

High. This is a remotely reachable authentication/authorization integrity issue with potential impact on token validity and access control. Upgrade planning should be prioritized over routine maintenance.

Recommended defensive actions

Upgrade Doorkeeper to 4.2.0 or later.
Verify all Ruby applications using Doorkeeper are deployed with the fixed version.
Review OAuth token revocation flows for assumptions about one-time use and invalidation behavior.
Invalidate and rotate sensitive tokens if you believe a vulnerable version was exposed in production.
Check application logs and identity-provider integrations for unusual token revocation or replay patterns.
Use the vendor issue tracker and release notes to confirm the remediation path before deployment.

Evidence notes

This debrief is based on the supplied CVE/NVD metadata and linked official references only. The core facts supported by the corpus are: CVE-2016-6582, Doorkeeper gem for Ruby, vulnerable versions through 4.1.0, fix reference v4.2.0, description of replay or arbitrary token revocation risk, CVSS 9.1 Critical, published 2017-01-23, modified 2026-05-13. The source corpus does not include the full advisory text, so no additional implementation details are inferred.

Official resources

CVE-2016-6582 CVE record
CVE.org
CVE-2016-6582 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Release Notes, Third Party Advisory

The CVE was published on 2017-01-23 and later modified on 2026-05-13. The supplied references indicate the fix is associated with Doorkeeper v4.2.0. This debrief uses the CVE publication date as the issue’s disclosure context and does not,