External risk intelligence

Rocket.Chat CAS Login Bypass Leading to Account Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-45688

Rocket.Chat is a communications platform typically deployed as a public-facing web service or API endpoint to facilitate external and internal connectivity. As a web-based chat and collaboration application, it is designed to be accessible via the internet, making this pre-authentication vulnerability reachable to unauthenticated remote attackers.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Rocket.Chat, a communication platform. An unauthenticated attacker could exploit this by manipulating login requests to bypass authentication, potentially gaining unauthorized access to user accounts, including administrator privileges. This could lead to a full compromise of the platform.

  • Unauthenticated attackers can bypass login.
  • Compromise of user accounts, including admin.
  • Confirm platform relevance and exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can target the CAS login handler of Rocket.Chat. By sending a specially crafted request that substitutes a MongoDB query operator for a ticket string, an attacker can bypass authentication. This allows them to obtain a valid authentication token belonging to another user, potentially an administrator, leading to full instance compromise if administrative privileges are gained.

  • Unauthenticated access to login handler.
  • Injects NoSQL query operators.
  • Full instance compromise possible.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an unauthenticated attacker could bypass authentication for Rocket.Chat's CAS login by injecting MongoDB query operators. This could allow them to impersonate legitimate users, including administrators, and gain access to the complete REST and DDP surface of the platform.

  • User accounts and administrative access.
  • Injected operators bypass ticket checks.
  • Full instance compromise is possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Rocket.Chat's CAS login handler requires action from teams managing the platform and its authentication integrations. The immediate first step is to identify all instances of the affected Rocket.Chat versions, confirm their external reachability and business criticality, and locate the specific application or platform owner responsible for remediation.

  • Platform or application owners should lead.
  • Verify CAS/SAML authentication reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Rocket.Chat?

Rocket.Chat is an open-source, customizable communication platform used by organizations to host internal and external collaboration. It supports various authentication methods, including CAS and SAML, to manage user access. This software is frequently deployed as a web service, enabling teams to exchange messages, share files, and integrate with other enterprise tools.

What does CWE-943 mean for CVE-2026-45688?

This CVE involves a weakness known as Improper Neutralization of Special Elements in Data Query Logic, or CWE-943. In this case, the software fails to sanitize input during the login process. Because the system does not verify the data type of the input, an attacker can replace a standard ticket string with a MongoDB query operator, effectively tricking the database into returning unauthorized authentication tokens.

How does an attacker trigger this vulnerability?

The attacker targets the CAS login handler by submitting a specially crafted request containing NoSQL query operators instead of an expected ticket value. This triggers the flaw because the system processes the input directly in a database query. Notably, simple requests without active SSO login attempts or requests that do not inject these specific query operators will not cause the bypass.

Is my server at risk according to Halo Surface Signal?

Halo Surface Signal identifies that Rocket.Chat is designed for connectivity, meaning many instances are public-facing web services. If your installation is accessible via the internet, it is reachable by unauthenticated remote attackers. Organizations should prioritize assessing whether their instance is exposed to the internet or restricted to internal networks, as public access significantly increases the relevance of this threat.

What should I do first to address this issue?

Begin by identifying all running Rocket.Chat instances in your environment to see if they are using one of the affected versions listed in the advisory. Once identified, confirm the reachability and criticality of these instances. Coordinate with the relevant platform owners to plan for the application of the official security updates, which resolve the login handler flaw by properly validating the incoming authentication data.

References