Rocket.Chat servers running versions 6.12.0 or earlier allow any authenticated user to call GET /api/v1/oauth-apps.get, which returns the OAuth application data for a known application ID. The endpoint exposes sensitive fields such as client_id and client_secret. This flaw permits an attacker to read credentials that are intended to be protected, potentially enabling unauthorized API calls, data leakage, and compromise of the communication platform. The weakness maps to CWE‑269 and CWE‑862.

The affected vendor is Rocket.Chat. The product is the Rocket.Chat open‑source communications platform. In all releases earlier than 6.12.0 the vulnerable API endpoint is present. Versions newer than 6.12.0 contain the fix.

The CVSS score of 7.7 indicates a high severity impact. The EPSS value of less than 1 % suggests that the probability of exploitation is low, but the attack requires only a valid authenticated session and knowledge of an application ID. Based on the description, the ability to enumerate or guess application IDs is inferred; it is not directly stated in the input but is a reasonable deduction. Because the vulnerability is limited to the disclosure of credential information and does not allow arbitrary code execution, it is primarily a confidentiality breach. The issue is not listed in the CISA KEV catalog, so no known active exploits are reported yet.