Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's string parameter annotation is erased at runtime, so an unauthenticated attacker can substitute a MongoDB query operator ({"$gt": ""}, {"$ne": null}, etc.) for what the server expects to be an opaque ticket string. The injected operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket check entirely. When any legitimate CAS or SAML SSO login is in flight, the attacker's next DDP login call matches the same credential-token row via the NoSQL operator and is issued a full Meteor auth token (userId + token) bound to the victim. The token is immediately usable against the complete REST and DDP surface as that user. If the victim is an administrator, this escalates to full instance compromise via Apps-Engine app install. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Published: 2026-06-24
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can supply a MongoDB query operator as the credentialToken in the CAS login request. The server forwards this value directly into a findOne query against the credential_tokens collection, with no runtime type validation. Because the operator matches the first unexpired document, the CAS ticket check is bypassed and the attack succeeds. When a legitimate CAS or SAML login is already in progress, the attacker’s next DDP login request reuses the same injected operator, receives a full Meteor authentication token tied to the victim, and can immediately use that token on all REST and DDP services. If the victim is an administrator, the attacker can install malicious Apps‑Engine applications, fully compromising the instance. This is a NoSQL injection that allows session hijack and potential escalation.

Affected Systems

Rocket.Chat, version 8.4.1 and earlier, 8.3.3 and earlier, 8.2.3 and earlier, 8.1.4 and earlier, 8.0.5 and earlier, 7.13.7 and earlier, 7.10.11 and earlier.

Risk and Exploitability

The CVSS score of 9.1 reflects a high severity level. Exploitation requires no authentication and only the ability to send a DDP request with a malformed credentialToken; the attack can proceed over the network or any interface that accepts the CAS login handler. EPSS is not available, but the lack of a KEV listing does not reduce the urgency because the flaw exposes critical authentication controls and can be used to compromise administrative accounts.

Generated by OpenCVE AI on June 25, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to the patched release 8.5.0 or later (or to the individual patched versions 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11).
  • Modify the CAS login handler to validate that credentialToken is a plain string and reject any request containing MongoDB query operators before performing the database lookup. This addresses the root injection weakness (CWE-943).
  • Restrict or block external access to the DDP endpoint and the CAS login route until the application is patched, limiting the attack surface and preventing exploitation while a permanent fix is applied.

Generated by OpenCVE AI on June 25, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's string parameter annotation is erased at runtime, so an unauthenticated attacker can substitute a MongoDB query operator ({"$gt": ""}, {"$ne": null}, etc.) for what the server expects to be an opaque ticket string. The injected operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket check entirely. When any legitimate CAS or SAML SSO login is in flight, the attacker's next DDP login call matches the same credential-token row via the NoSQL operator and is issued a full Meteor auth token (userId + token) bound to the victim. The token is immediately usable against the complete REST and DDP surface as that user. If the victim is an administrator, this escalates to full instance compromise via Apps-Engine app install. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Title Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML User Session Hijack
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:56:44.843Z

Reserved: 2026-05-13T04:38:01.164Z

Link: CVE-2026-45688

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses
  • CWE-943

    Improper Neutralization of Special Elements in Data Query Logic