Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with MongoDB query operators to /oauth/token. The Rocket.Chat OAuth2 server does not validate that grant parameters are strings before forwarding them to findOne({...}) against the oauth_apps and oauth_access_tokens collections, so an attacker substitutes {"$ne": null} for client_id, client_secret, and refresh_token and receives a freshly minted {access_token, refresh_token} pair bound to whichever user's refresh token Mongo returned first. The resulting access token is a first-class bearer credential against the full /api/v1/* surface as that user. By iterating with $nin / $regex operators the attacker walks the entire oauth_access_tokens collection, collecting one fresh access token per user per request. If any matched token belongs to an admin, the stolen bearer gives full admin API access (including Apps-Engine app installation, i.e. server-side code execution). No account, credentials, userId, or prior interaction with the instance are required. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Published: 2026-06-24
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a NoSQL injection in Rocket.Chat’s OAuth2 token endpoint (/oauth/token) in versions before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. An unauthenticated network attacker can send a single POST request that includes MongoDB query operators such as {"$ne": null} for the grant parameters client_id, client_secret, and refresh_token. Because Rocket.Chat does not validate that these parameters are strings, it forwards them to a findOne query against the oauth_apps and oauth_access_tokens collections. The server therefore returns a newly minted access_token and refresh_token pair bound to the first matching user found in the database. This bearer token grants full access to the /api/v1/* surface for that user. By iterating with $nin or $regex operators the attacker can walk the entire oauth_access_tokens collection, collecting one fresh token per user per request. If an administrator’s token is obtained, the adversary gains full admin API capabilities, including the ability to install Apps-Engine applications and achieve server‑side code execution. No prior account or credentials are required. The flaw is identified as a NoSQL injection, CWE‑943.

Affected Systems

Rocket.Chat software versions earlier than 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 are affected. Updating to any of the patched releases listed above removes the vulnerability.

Risk and Exploitability

The CVSS score of 9.1 indicates critical severity. No EPSS score is available, and the vulnerability is not yet listed in the CISA KEV catalog. The attack can be carried out over the network by any remote actor without authentication, making exploitation highly likely if the software remains unpatched.

Generated by OpenCVE AI on June 25, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to version 8.5.0 or later, or to any of the listed fixed releases (8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11) to eliminate the injection point.
  • If the patch cannot be applied immediately, consider temporarily disabling the /oauth/token endpoint or restricting network access to the REST API to prevent unauthorized usage.
  • Apply standard security hardening: enforce strict input validation on all grant parameters, implement least‑privilege access controls for OAuth tokens, and monitor API usage for anomalous token creation patterns.

Generated by OpenCVE AI on June 25, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with MongoDB query operators to /oauth/token. The Rocket.Chat OAuth2 server does not validate that grant parameters are strings before forwarding them to findOne({...}) against the oauth_apps and oauth_access_tokens collections, so an attacker substitutes {"$ne": null} for client_id, client_secret, and refresh_token and receives a freshly minted {access_token, refresh_token} pair bound to whichever user's refresh token Mongo returned first. The resulting access token is a first-class bearer credential against the full /api/v1/* surface as that user. By iterating with $nin / $regex operators the attacker walks the entire oauth_access_tokens collection, collecting one fresh access token per user per request. If any matched token belongs to an admin, the stolen bearer gives full admin API access (including Apps-Engine app installation, i.e. server-side code execution). No account, credentials, userId, or prior interaction with the instance are required. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Title Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User ATO
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:57:32.281Z

Reserved: 2026-05-13T04:38:01.164Z

Link: CVE-2026-45689

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses
  • CWE-943

    Improper Neutralization of Special Elements in Data Query Logic