External risk intelligence

Rocket.Chat Account Takeover via Forged Apple Tokens.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-55666

Rocket.Chat is a communication platform designed to be publicly accessible for user login and collaboration. This vulnerability exists in the Apple OAuth login handler, which is a public-facing authentication endpoint used in standard deployments of the application.

Authentication Bypass

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in Rocket.Chat, an open-source communications platform, that could allow attackers to take over user accounts by forging authentication tokens. The issue arises when the platform handles login requests from Apple's OAuth service, specifically when an email address is not provided. This could potentially impact any organization using Rocket.Chat for internal or external communications, with the primary concern being to confirm if the platform is in use and if it is exposed to external networks.

  • Compromises user accounts via forged login data.
  • Matters for organizations using Rocket.Chat.
  • Confirm usage and external exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by crafting a fraudulent Apple JWT that omits an email address. When Rocket.Chat's login handler processes this forged token, it may accept an arbitrary email provided by the attacker, potentially leading to account takeover.

  • Publicly accessible login endpoint.
  • Forged Apple JWT without email.
  • Account takeover risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to take over user accounts. When a user attempts to log in using Apple's OAuth service, the system may not properly validate the user's email address if it's not present in the provided token. This could enable an attacker to forge a token without an email and register an account with an arbitrary email address, effectively hijacking legitimate accounts.

  • User account access.
  • Forged tokens bypassing email validation.
  • Unauthorized account access and control.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world ownership for this vulnerability likely falls to the platform or application team managing Rocket.Chat, with support from the security team for exposure analysis and the vendor-management team if using a managed service. The immediate practical step is to identify all Rocket.Chat instances, determine their reachability and criticality, and locate the accountable owner to initiate remediation planning based on risk.

  • Platform or application team owns the issue.
  • Verify public-facing instances and reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Rocket.Chat and why does it have an Apple login?

Rocket.Chat is an open-source platform that enables teams to communicate through chat, video, and file sharing. It supports single sign-on providers like Apple to streamline how users authenticate. This feature integrates the platform with Apple’s identity services, allowing users to log in using their established Apple credentials instead of creating new, platform-specific passwords.

How does CVE-2026-55666 create a security weakness?

This vulnerability falls under improper authentication (CWE-287). The software incorrectly trusts a user-supplied email address if the token from Apple is missing one. Because the application fails to verify the authenticity of the email provided during this specific login path, an attacker can manipulate the process to associate their session with an arbitrary account, effectively bypassing standard identity checks.

Do I need an Apple account to trigger this CVE?

No. The vulnerability is triggered by an attacker crafting a forged Apple JSON Web Token (JWT) that intentionally omits an email address. This issue is specifically tied to how the server processes these incomplete tokens. Normal, legitimate login attempts where a valid Apple token containing a verified email is presented do not trigger this bypass.

Why is Rocket.Chat considered at risk based on Halo Surface Signal?

Halo Surface Signal identifies Rocket.Chat as a communication tool typically deployed to be publicly accessible for collaboration. Because this vulnerability affects the Apple OAuth login handler—an endpoint designed to be reachable by external users—the platform is considered highly likely to face exposure if it is connected to the internet.

When should I update my Rocket.Chat deployment?

You should prioritize updating as soon as possible. Because this issue permits account takeover without requiring authentication, it represents a significant risk to user data. Verify your current software version and apply the vendor-provided security patches, which are available for versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13 to permanently resolve the token handling error.

References