Overview
A second critical (CVSS 9.1) vulnerability disclosed alongside CVE-2026-45688, CVE-2026-45689 allows an unauthenticated attacker to steal a valid Rocket.Chat OAuth access token for any user by sending a single crafted HTTP POST request. The root cause is the same class of bug — MongoDB operator injection — but in the OAuth authentication flow rather than the CAS handler. An attacker with a stolen OAuth token can authenticate to Rocket.Chat as the targeted user without knowing their password or requiring any MFA.
Vulnerability Summary
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-45689 |
| CVSS Score | 9.1 (Critical) |
| Attack Vector | Network |
| Authentication Required | None |
| Vulnerability Type | MongoDB Operator Injection / OAuth Token Theft |
| Affected Component | OAuth Login / Token Lookup Handler |
| Patched Versions | 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, 7.10.11 |
| Published | 2026-06-24 |
Technical Details
Rocket.Chat's OAuth token lookup handler accepts a token value from the client request body and passes it to a MongoDB query without type-checking or sanitization:
// Simplified vulnerable code pattern
const token = req.body.token; // Attacker-controlled, unsanitized
const oauthToken = await OAuthTokens.findOne({ token: token });
if (oauthToken) {
// Log user in using the matched token record
loginWithToken(oauthToken.userId);
}By supplying a MongoDB operator object instead of a plain string, the attacker causes the query to match a legitimate token record:
POST /api/v1/oauth/token HTTP/1.1
Host: rocketchat.example.com
Content-Type: application/json
{
"token": { "$gt": "" }
}The $gt: "" operator matches the first token document in the collection, and Rocket.Chat proceeds to authenticate the attacker as that token's owner. Because OAuth tokens are typically long-lived (hours to days), an attacker can use the stolen token to make API calls, send messages, access files, and impersonate the user across all integrations.
Comparison with CVE-2026-45688
Both CVEs share the same root cause — MongoDB operator injection — but target different authentication flows:
| CVE-2026-45688 | CVE-2026-45689 | |
|---|---|---|
| Flow | CAS login handler | OAuth token lookup |
| Input | credentialToken | OAuth token |
| Result | Session takeover | OAuth access token theft |
| Endpoint | CAS callback | OAuth token exchange |
Organizations with either CAS or OAuth enabled (or both) are at risk from one or both CVEs.
Single-Request Exploitation
Unlike many injection vulnerabilities that require chaining multiple requests, CVE-2026-45689 is exploitable with a single HTTP POST — the defining characteristic noted in the NVD advisory. This makes automated exploitation trivially simple and dramatically increases the risk of widespread abuse in the event of public PoC release.
Affected Versions
| Branch | First Safe Version |
|---|---|
| 8.x (latest) | 8.5.0 |
| 8.4.x | 8.4.1 |
| 8.3.x | 8.3.3 |
| 8.2.x | 8.2.3 |
| 8.1.x | 8.1.4 |
| 8.0.x | 8.0.5 |
| 7.13.x | 7.13.7 |
| 7.10.x | 7.10.11 |
Detection
Check Rocket.Chat Version
# Via API (no authentication required)
curl -s https://your-rocketchat.example.com/api/info | jq '{version: .version}'Suspicious OAuth Token Activity
# Check Rocket.Chat admin logs for unusual OAuth activity
# Administration → Logs → Filter by "oauth"
# In containerized deployments:
docker logs rocketchat 2>&1 | grep -i "oauth" | grep -v "200 OK"Network-Level Detection
If your organization uses a WAF or IDS/IPS, create rules to flag POST requests to OAuth endpoints containing MongoDB operator keywords:
HTTP POST body contains: "$gt", "$ne", "$regex", "$where"
Destination: /api/v1/oauth/* OR /oauth/*
Indicators of Compromise
- Users reporting unexpected sessions or messages they didn't send
- OAuth tokens appearing in logs from unusual source IPs
- API calls using tokens outside of normal working hours or geographic regions
Remediation
Upgrade Immediately
Both CVE-2026-45688 and CVE-2026-45689 are fixed in the same patch releases. Upgrade to the patched version for your active branch:
# Docker Compose example
# Edit docker-compose.yml: image: rocket.chat:8.5.0
docker compose pull && docker compose up -d# Snap
sudo snap refresh rocketchat-serverRevoke All OAuth Tokens (Post-Incident)
If you suspect compromise, revoke all active OAuth tokens to force re-authentication:
// In Rocket.Chat admin shell (if accessible)
// Administration → OAuth Apps → Revoke all tokens
// Or via Rocket.Chat API (with admin credentials):
curl -H "X-Auth-Token: ADMIN_TOKEN" \
-H "X-User-Id: ADMIN_USER_ID" \
-X POST https://rocketchat.example.com/api/v1/users.logoutOtherClientsTemporary Mitigation
If an immediate upgrade is not possible:
- Disable OAuth-based login in Administration → OAuth → Third-party login
- Rotate all OAuth client secrets for registered applications
- Monitor login logs for anomalous activity while patching is in progress
Risk Context
These two Rocket.Chat CVEs are significant not just individually, but in combination:
- Both are CVSS 9.1 — high severity with no authentication required
- Both exploit the same root cause — indicating a systematic failure in input validation across authentication flows
- Rocket.Chat is common in high-value environments — government agencies, defense contractors, and healthcare organizations use it for internal communications
- Single-request exploitation (CVE-2026-45689) means an automated scanner could mass-exploit vulnerable instances within hours of a public PoC
Organizations running Rocket.Chat in any capacity should treat this as a P0 patch urgency.
References
Published: June 25, 2026 — CosmicBytez Labs Security Team