External risk intelligence

Rocket.Chat OAuth Token Forgery Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-45689

Rocket.Chat is a communication platform designed as a public-facing web service. This vulnerability exists in an unauthenticated OAuth endpoint, which is a core component intended to be exposed to the internet for user authentication and API interaction in standard deployments.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Rocket.Chat, an open-source communication platform. An unauthenticated attacker can exploit this flaw to gain unauthorized access to user accounts, potentially including administrative privileges, by manipulating authentication requests. This could allow for broad access to sensitive information and system control.

  • Access tokens can be stolen without authentication.
  • It impacts core user and admin access controls.
  • Confirm relevance and assess exposure to internal systems.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker on the network can obtain a valid Rocket.Chat OAuth access token for any user by sending a crafted HTTP POST request to the `/oauth/token` endpoint. This allows the attacker to impersonate users and gain access to their API functionalities. If the impersonated user is an administrator, the attacker can achieve full administrative control, including executing arbitrary code on the server.

  • No account or credentials required.
  • Exploits OAuth token endpoint.
  • Leads to arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could gain access to user accounts and sensitive information within Rocket.Chat by exploiting a flaw in the OAuth token generation process. This occurs when the system improperly handles parameters, allowing the attacker to craft requests that yield valid access tokens for arbitrary users, including administrators.

  • User access tokens and refresh tokens.
  • Sending crafted HTTP POST requests to /oauth/token.
  • Unauthorized access to user data and admin functions.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Rocket.Chat's OAuth token endpoint requires immediate attention from platform and security teams. The first practical step is to identify all Rocket.Chat instances, confirm their external reachability and business criticality, and then determine the accountable owner for remediation.

  • Platform and security teams own this issue.
  • Verify external reachability of OAuth endpoints.
  • Plan coordinated updates during maintenance.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Rocket.Chat's primary function in an enterprise environment?

Rocket.Chat provides an open-source, customizable communication platform facilitating team collaboration and digital workspaces. It functions as a central hub for messaging and data exchange, utilizing integrated OAuth services to manage authentication and session tokens for connected users and applications.

How does CVE-2026-45689 vulnerability function?

This issue is classified under CWE-943, involving improper neutralization of special elements in database queries. The platform fails to validate OAuth grant parameters before processing them in MongoDB database lookups, allowing for improper data access through crafted query operators.

What is the mechanism used to trigger this authentication flaw?

Attackers can bypass authentication by sending a specific HTTP POST request to the OAuth token endpoint. By replacing expected parameter values with MongoDB operators like $ne or $nin, the system logic is manipulated to return valid user access tokens without requiring existing credentials or prior account interaction.

Why is this vulnerability highly relevant to network security?

According to the Halo Surface Signal, this vulnerability is very likely to be targeted because Rocket.Chat is often deployed as a public-facing service. Since the flaw exists in an unauthenticated OAuth endpoint, it is exposed to the internet by design, facilitating unauthorized access to user accounts or administrative API functions.

How should security teams respond to this threat?

Administrators must prioritize updating instances to the patched versions. The immediate response should involve identifying all Rocket.Chat deployments, verifying their network exposure, and coordinating maintenance windows to apply the necessary software updates to remediate the authentication logic flaw.

References