diff --git a/lib/devise/models/confirmable.rb b/lib/devise/models/confirmable.rb
index dbf6d0ffc8..9181d5ed65 100644
--- a/lib/devise/models/confirmable.rb
+++ b/lib/devise/models/confirmable.rb
@@ -349,6 +349,12 @@ def send_confirmation_instructions(attributes={})
         # Options must have the confirmation_token
         def confirm_by_token(confirmation_token)
           confirmable = find_first_by_auth_conditions(confirmation_token: confirmation_token)
+
+          if confirmable && confirmation_token.blank?
+            confirmable.errors.add(:confirmation_token, :blank)
+            return confirmable
+          end
+
           unless confirmable
             confirmation_digest = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
             confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_digest)
diff --git a/test/integration/confirmable_test.rb b/test/integration/confirmable_test.rb
index 73563f283f..d4dd15f07b 100644
--- a/test/integration/confirmable_test.rb
+++ b/test/integration/confirmable_test.rb
@@ -175,6 +175,38 @@ def resend_confirmation
     assert_current_url '/users/sign_in'
   end
 
+  test "should not be able to confirm an email with a blank confirmation token" do
+    visit_user_confirmation_with_token("")
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
+  test "should not be able to confirm an email with a nil confirmation token" do
+    visit_user_confirmation_with_token(nil)
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
+  test "should not confirm user with blank confirmation token" do
+    user = create_user(confirm: false)
+    user.update_attribute(:confirmation_token, "")
+
+    visit_user_confirmation_with_token("")
+
+    assert_contain "Confirmation token can't be blank"
+    refute user.reload.confirmed?
+  end
+
+  test "should not confirm user with nil confirmation token" do
+    user = create_user(confirm: false)
+    user.update_attribute(:confirmation_token, nil)
+
+    visit_user_confirmation_with_token(nil)
+
+    assert_contain "Confirmation token can't be blank"
+    refute user.reload.confirmed?
+  end
+
   test 'error message is configurable by resource name' do
     store_translations :en, devise: {
       failure: { user: { unconfirmed: "Not confirmed user" } }