Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try block checks for an email parameter. If the JWT does not contain an email address, the application falls back to accepting an arbitrary email value supplied directly in the request. Attackers are able to forge Apple JWTs that do not contain an email address and leverage this vulnerability to carry out account takeover attacks. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.
Published: 2026-06-24
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The missing email check in Apple OAuth causes attackers to supply forged Apple JWTs without an email and set an arbitrary email in the request, allowing them to impersonate any user and take over their account; this is a credential reuse or account takeover vulnerability, reflected in CWE‑287 and CWE‑288.

Affected Systems

Rocket.Chat servers running any release prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13 are affected; older versions of these releases are also vulnerable.

Risk and Exploitability

The CVSS base score of 9.3 indicates critical severity, and while EPSS data is not available, the absence of KEV listing does not lower the likelihood of exploitation; the vulnerability can be exploited remotely by forging an Apple OAuth JWT and supplying any email address during the login request, making it a straightforward account takeover scenario.

Generated by OpenCVE AI on June 24, 2026 at 23:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to the latest patched version (8.5.1 or later) to eliminate the fallback email vulnerability.
  • Restart the Rocket.Chat application to ensure the new code is loaded.
  • Verify that Apple OAuth login only accepts JWTs containing the email claim and reject any login attempts lacking it; monitor authentication logs for suspicious patterns.

Generated by OpenCVE AI on June 24, 2026 at 23:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try block checks for an email parameter. If the JWT does not contain an email address, the application falls back to accepting an arbitrary email value supplied directly in the request. Attackers are able to forge Apple JWTs that do not contain an email address and leverage this vulnerability to carry out account takeover attacks. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.
Title Rocket.Chat: Email Parameter Fallback Leads To Account Takeover Within Apple OAuth
Weaknesses CWE-287
CWE-288
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T21:06:55.637Z

Reserved: 2026-06-17T00:05:03.777Z

Link: CVE-2026-55666

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T23:15:03Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel