Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted regardless of aud, exp, nbf, or nonce. An attacker who obtains a target user's Apple identity token (from server logs, an intercepted sign-in flow, or another application sharing the same Apple developer team) can replay it to authenticate as that user, with no expiration on the replay window. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.
Published: 2026-06-24
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Rocket.Chat’s Apple Sign‑In handler, before the fixes in the latest releases, verifies only the JWT signature but neglects essential claims validation, exposing the system to CWE‑287 and CWE‑294 weaknesses. The lack of checks on the token’s audience, expiration, not‑before, and nonce fields means that any Apple‑signed JWT with a non‑empty issuer is accepted. An attacker who obtains a valid Apple identity token for a target user—by extracting it from server logs, intercepting the sign‑in flow, or borrowing a token from another application under the same developer team—can replay that token with no expiration limits and impersonate the user.

Affected Systems

The vulnerability affects Rocket.Chat releases older than 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. Updated versions of Rocket.Chat are not impacted.

Risk and Exploitability

The CVSS score of 7.4 indicates a moderate‑to‑high severity for authentication bypass. The EPSS score is not available, so the current exploitation probability is uncertain, but the flaw remains serious because it requires only possession of a valid Apple token and permits replay without expiration constraints. The vulnerability is not listed in the CISA KEV catalog, and the likely attack vector is the manual or automated replay of that token when Apple Sign‑In is enabled.

Generated by OpenCVE AI on June 25, 2026 at 00:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to any of the fixed releases: 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13.
  • If an immediate upgrade is not feasible, disable Apple Sign‑In authentication to prevent unverified tokens from being accepted.
  • Implement monitoring for repeated Apple Sign‑In attempts and enforce session revocation or rotation when anomalous replay activity is detected.

Generated by OpenCVE AI on June 25, 2026 at 00:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Rocketchat
Rocketchat rocket.chat
Vendors & Products Rocketchat
Rocketchat rocket.chat

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted regardless of aud, exp, nbf, or nonce. An attacker who obtains a target user's Apple identity token (from server logs, an intercepted sign-in flow, or another application sharing the same Apple developer team) can replay it to authenticate as that user, with no expiration on the replay window. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.
Title Rocket.Chat: Apple Sign-In skips JWT claims validation, allowing expired and cross-audience token replay
Weaknesses CWE-287
CWE-294
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Rocketchat Rocket.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:55:28.570Z

Reserved: 2026-06-17T14:34:51.880Z

Link: CVE-2026-55759

cve-icon Vulnrichment

Updated: 2026-06-25T23:10:17.879Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:30:04Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-294

    Authentication Bypass by Capture-replay