Overview
A critical (CVSS 9.1) unauthenticated account takeover vulnerability has been disclosed in Rocket.Chat — the widely deployed open-source communications platform. The flaw, tracked as CVE-2026-45688, resides in the CAS (Central Authentication Service) login handler, which forwards a client-controlled value directly into a MongoDB findOne({_id: ...}) query without sanitization. This enables a remote attacker to inject MongoDB query operators and take over arbitrary user accounts without any prior authentication.
Vulnerability Summary
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-45688 |
| CVSS Score | 9.1 (Critical) |
| Attack Vector | Network |
| Authentication Required | None |
| Vulnerability Type | MongoDB Operator Injection / Account Takeover |
| Affected Component | CAS Login Handler |
| Patched Versions | 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, 7.10.11 |
| Published | 2026-06-24 |
Technical Details
The vulnerability stems from Rocket.Chat's CAS login handler consuming the options.cas.credentialToken value supplied by the client and passing it directly as the _id field in a MongoDB findOne() call:
// Simplified vulnerable code pattern
const credential = options.cas.credentialToken; // Client-controlled, unsanitized
const result = await db.collection('cas_login_tokens').findOne({ _id: credential });Because the value is not validated or cast to a plain string before the database query, an attacker can substitute a MongoDB query operator object in place of a string:
{
"options": {
"cas": {
"credentialToken": { "$gt": "" }
}
}
}The operator $gt: "" matches any non-empty _id, causing the query to return the first valid credential token in the collection rather than the one specifically belonging to the attacker. The attacker then inherits the session associated with that token — effectively taking over the corresponding user account.
Attack Flow
1. Attacker initiates CAS login flow normally
2. Instead of supplying a legitimate credentialToken string,
attacker injects a MongoDB operator object (e.g. {"$gt":""})
3. Rocket.Chat passes the injected object to MongoDB findOne()
4. MongoDB matches the first credential in the collection
5. Rocket.Chat logs the attacker in as the matched user
6. Attacker gains full session access to the victim account
Why the CVSS Score Is 9.1
- No authentication required — fully pre-auth
- Network-accessible — exploitable over the internet
- High impact on Confidentiality and Integrity — attacker reads and sends messages as the victim
- Only partial Availability impact — does not crash the server
Affected Versions
Any Rocket.Chat deployment running a version earlier than the following patched releases is vulnerable:
| Branch | First Safe Version |
|---|---|
| 8.x (latest) | 8.5.0 |
| 8.4.x | 8.4.1 |
| 8.3.x | 8.3.3 |
| 8.2.x | 8.2.3 |
| 8.1.x | 8.1.4 |
| 8.0.x | 8.0.5 |
| 7.13.x | 7.13.7 |
| 7.10.x | 7.10.11 |
Versions outside these branches that are end-of-life should be considered vulnerable with no fix available; upgrade to a supported branch immediately.
Detection
Identify Your Rocket.Chat Version
# Via Admin panel: Administration → Info
# Via Docker
docker exec rocketchat node -e "const p = require('./package.json'); console.log(p.version);"
# Via API
curl -s https://your-rocketchat.example.com/api/info | jq '.version'Check for CAS Integration
# Check Rocket.Chat admin settings for CAS status
# Administration → OAuth → CAS
# If CAS is disabled, attack surface is reduced (but patch anyway)Indicators of Suspicious CAS Authentication
Review your Rocket.Chat access logs for CAS login requests with non-string credentialToken values:
# Look for login attempts with unusual credentialToken formats
grep -i "cas" /path/to/rocketchat/logs/*.log | grep -v '"credentialToken":"[a-zA-Z0-9]'
# Monitor for users logged in from unexpected IPs
# Administration → Rooms → Direct Messages (suspicious activity)Remediation
Immediate Action: Upgrade Rocket.Chat
This is the only complete fix. Upgrade to the patched version for your branch:
# Docker-based deployment (example)
docker pull rocket.chat:8.5.0
docker stop rocketchat
docker rm rocketchat
# Re-launch with your existing docker run / compose configuration# Snap installation
sudo snap refresh rocketchat-server --channel=stableTemporary Mitigation (If Immediate Upgrade Is Not Possible)
If your organization uses CAS for SSO and cannot patch immediately:
- Disable CAS authentication in Administration → OAuth → CAS until the patch is applied.
- Users will fall back to local or other OAuth methods.
- Note: disabling CAS only removes the direct attack vector — upgrade remains mandatory.
Input Validation Workaround (Self-hosted, custom build)
If running a customized self-hosted build, add a type check before the MongoDB query:
// Defensive fix (not a substitute for upgrading)
const token = options.cas.credentialToken;
if (typeof token !== 'string') {
throw new Error('Invalid credentialToken type');
}
const result = await db.collection('cas_login_tokens').findOne({ _id: token });Impact Assessment
Rocket.Chat is used by organizations including government agencies, healthcare providers, financial services, and technology companies — particularly those requiring self-hosted, on-premise messaging. An unauthenticated account takeover means:
- Data exfiltration — attackers can read all messages, files, and channels accessible to the compromised account
- Lateral movement — admin accounts taken over could lead to full server compromise
- Regulatory exposure — unauthorized access to regulated communications (HIPAA, SOC 2, GDPR)
References
Published: June 25, 2026 — CosmicBytez Labs Security Team