Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-45688: Rocket.Chat CAS Login MongoDB Operator Injection (CVSS 9.1)
CVE-2026-45688: Rocket.Chat CAS Login MongoDB Operator Injection (CVSS 9.1)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-45688

CVE-2026-45688: Rocket.Chat CAS Login MongoDB Operator Injection (CVSS 9.1)

Critical unauthenticated account takeover vulnerability in Rocket.Chat's CAS login handler passes unsanitized client input directly into a MongoDB findOne...

Dylan H.

Security Team

June 25, 2026
5 min read

Affected Products

  • Rocket.Chat < 8.5.0
  • Rocket.Chat < 8.4.1
  • Rocket.Chat < 8.3.3
  • Rocket.Chat < 8.2.3
  • Rocket.Chat < 8.1.4
  • Rocket.Chat < 8.0.5
  • Rocket.Chat < 7.13.7
  • Rocket.Chat < 7.10.11

Overview

A critical (CVSS 9.1) unauthenticated account takeover vulnerability has been disclosed in Rocket.Chat — the widely deployed open-source communications platform. The flaw, tracked as CVE-2026-45688, resides in the CAS (Central Authentication Service) login handler, which forwards a client-controlled value directly into a MongoDB findOne({_id: ...}) query without sanitization. This enables a remote attacker to inject MongoDB query operators and take over arbitrary user accounts without any prior authentication.

Vulnerability Summary

AttributeValue
CVE IDCVE-2026-45688
CVSS Score9.1 (Critical)
Attack VectorNetwork
Authentication RequiredNone
Vulnerability TypeMongoDB Operator Injection / Account Takeover
Affected ComponentCAS Login Handler
Patched Versions8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, 7.10.11
Published2026-06-24

Technical Details

The vulnerability stems from Rocket.Chat's CAS login handler consuming the options.cas.credentialToken value supplied by the client and passing it directly as the _id field in a MongoDB findOne() call:

// Simplified vulnerable code pattern
const credential = options.cas.credentialToken; // Client-controlled, unsanitized
const result = await db.collection('cas_login_tokens').findOne({ _id: credential });

Because the value is not validated or cast to a plain string before the database query, an attacker can substitute a MongoDB query operator object in place of a string:

{
  "options": {
    "cas": {
      "credentialToken": { "$gt": "" }
    }
  }
}

The operator $gt: "" matches any non-empty _id, causing the query to return the first valid credential token in the collection rather than the one specifically belonging to the attacker. The attacker then inherits the session associated with that token — effectively taking over the corresponding user account.

Attack Flow

1. Attacker initiates CAS login flow normally
2. Instead of supplying a legitimate credentialToken string,
   attacker injects a MongoDB operator object (e.g. {"$gt":""})
3. Rocket.Chat passes the injected object to MongoDB findOne()
4. MongoDB matches the first credential in the collection
5. Rocket.Chat logs the attacker in as the matched user
6. Attacker gains full session access to the victim account

Why the CVSS Score Is 9.1

  • No authentication required — fully pre-auth
  • Network-accessible — exploitable over the internet
  • High impact on Confidentiality and Integrity — attacker reads and sends messages as the victim
  • Only partial Availability impact — does not crash the server

Affected Versions

Any Rocket.Chat deployment running a version earlier than the following patched releases is vulnerable:

BranchFirst Safe Version
8.x (latest)8.5.0
8.4.x8.4.1
8.3.x8.3.3
8.2.x8.2.3
8.1.x8.1.4
8.0.x8.0.5
7.13.x7.13.7
7.10.x7.10.11

Versions outside these branches that are end-of-life should be considered vulnerable with no fix available; upgrade to a supported branch immediately.

Detection

Identify Your Rocket.Chat Version

# Via Admin panel: Administration → Info
# Via Docker
docker exec rocketchat node -e "const p = require('./package.json'); console.log(p.version);"
 
# Via API
curl -s https://your-rocketchat.example.com/api/info | jq '.version'

Check for CAS Integration

# Check Rocket.Chat admin settings for CAS status
# Administration → OAuth → CAS
# If CAS is disabled, attack surface is reduced (but patch anyway)

Indicators of Suspicious CAS Authentication

Review your Rocket.Chat access logs for CAS login requests with non-string credentialToken values:

# Look for login attempts with unusual credentialToken formats
grep -i "cas" /path/to/rocketchat/logs/*.log | grep -v '"credentialToken":"[a-zA-Z0-9]'
 
# Monitor for users logged in from unexpected IPs
# Administration → Rooms → Direct Messages (suspicious activity)

Remediation

Immediate Action: Upgrade Rocket.Chat

This is the only complete fix. Upgrade to the patched version for your branch:

# Docker-based deployment (example)
docker pull rocket.chat:8.5.0
docker stop rocketchat
docker rm rocketchat
# Re-launch with your existing docker run / compose configuration
# Snap installation
sudo snap refresh rocketchat-server --channel=stable

Temporary Mitigation (If Immediate Upgrade Is Not Possible)

If your organization uses CAS for SSO and cannot patch immediately:

  1. Disable CAS authentication in Administration → OAuth → CAS until the patch is applied.
  2. Users will fall back to local or other OAuth methods.
  3. Note: disabling CAS only removes the direct attack vector — upgrade remains mandatory.

Input Validation Workaround (Self-hosted, custom build)

If running a customized self-hosted build, add a type check before the MongoDB query:

// Defensive fix (not a substitute for upgrading)
const token = options.cas.credentialToken;
if (typeof token !== 'string') {
  throw new Error('Invalid credentialToken type');
}
const result = await db.collection('cas_login_tokens').findOne({ _id: token });

Impact Assessment

Rocket.Chat is used by organizations including government agencies, healthcare providers, financial services, and technology companies — particularly those requiring self-hosted, on-premise messaging. An unauthenticated account takeover means:

  • Data exfiltration — attackers can read all messages, files, and channels accessible to the compromised account
  • Lateral movement — admin accounts taken over could lead to full server compromise
  • Regulatory exposure — unauthorized access to regulated communications (HIPAA, SOC 2, GDPR)

References

  • NVD: CVE-2026-45688
  • Rocket.Chat Security Advisories
  • Rocket.Chat Releases

Published: June 25, 2026 — CosmicBytez Labs Security Team

Related Advisories

  • CVE-2026-45689: Rocket.Chat OAuth MongoDB Operator Injection
#CVE#Rocket.Chat#MongoDB#Injection#Account Takeover#CAS#authentication

Related Articles

CVE-2026-45689: Rocket.Chat OAuth Token Hijack via MongoDB Operator Injection (CVSS 9.1)

Critical pre-authentication vulnerability in Rocket.Chat allows any unauthenticated network attacker to obtain a valid OAuth access token for an arbitrary...

5 min read

CVE-2026-12073: ProfileGrid WordPress Plugin Critical Privilege Escalation

A critical CVSS 9.8 vulnerability in the ProfileGrid WordPress plugin allows unauthenticated attackers to take over any user account and escalate...

3 min read

CVE-2026-9851: WordPress Booking Package Plugin Privilege Escalation via Account Takeover

A high-severity privilege escalation vulnerability in the Booking Package WordPress plugin allows unauthenticated or low-privileged attackers to take over…

2 min read
Back to all Security Alerts