Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-45689: Rocket.Chat OAuth Token Hijack via MongoDB Operator Injection (CVSS 9.1)
CVE-2026-45689: Rocket.Chat OAuth Token Hijack via MongoDB Operator Injection (CVSS 9.1)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-45689

CVE-2026-45689: Rocket.Chat OAuth Token Hijack via MongoDB Operator Injection (CVSS 9.1)

Critical pre-authentication vulnerability in Rocket.Chat allows any unauthenticated network attacker to obtain a valid OAuth access token for an arbitrary...

Dylan H.

Security Team

June 25, 2026
5 min read

Affected Products

  • Rocket.Chat < 8.5.0
  • Rocket.Chat < 8.4.1
  • Rocket.Chat < 8.3.3
  • Rocket.Chat < 8.2.3
  • Rocket.Chat < 8.1.4
  • Rocket.Chat < 8.0.5
  • Rocket.Chat < 7.13.7
  • Rocket.Chat < 7.10.11

Overview

A second critical (CVSS 9.1) vulnerability disclosed alongside CVE-2026-45688, CVE-2026-45689 allows an unauthenticated attacker to steal a valid Rocket.Chat OAuth access token for any user by sending a single crafted HTTP POST request. The root cause is the same class of bug — MongoDB operator injection — but in the OAuth authentication flow rather than the CAS handler. An attacker with a stolen OAuth token can authenticate to Rocket.Chat as the targeted user without knowing their password or requiring any MFA.

Vulnerability Summary

AttributeValue
CVE IDCVE-2026-45689
CVSS Score9.1 (Critical)
Attack VectorNetwork
Authentication RequiredNone
Vulnerability TypeMongoDB Operator Injection / OAuth Token Theft
Affected ComponentOAuth Login / Token Lookup Handler
Patched Versions8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, 7.10.11
Published2026-06-24

Technical Details

Rocket.Chat's OAuth token lookup handler accepts a token value from the client request body and passes it to a MongoDB query without type-checking or sanitization:

// Simplified vulnerable code pattern
const token = req.body.token; // Attacker-controlled, unsanitized
const oauthToken = await OAuthTokens.findOne({ token: token });
if (oauthToken) {
  // Log user in using the matched token record
  loginWithToken(oauthToken.userId);
}

By supplying a MongoDB operator object instead of a plain string, the attacker causes the query to match a legitimate token record:

POST /api/v1/oauth/token HTTP/1.1
Host: rocketchat.example.com
Content-Type: application/json
 
{
  "token": { "$gt": "" }
}

The $gt: "" operator matches the first token document in the collection, and Rocket.Chat proceeds to authenticate the attacker as that token's owner. Because OAuth tokens are typically long-lived (hours to days), an attacker can use the stolen token to make API calls, send messages, access files, and impersonate the user across all integrations.

Comparison with CVE-2026-45688

Both CVEs share the same root cause — MongoDB operator injection — but target different authentication flows:

CVE-2026-45688CVE-2026-45689
FlowCAS login handlerOAuth token lookup
InputcredentialTokenOAuth token
ResultSession takeoverOAuth access token theft
EndpointCAS callbackOAuth token exchange

Organizations with either CAS or OAuth enabled (or both) are at risk from one or both CVEs.

Single-Request Exploitation

Unlike many injection vulnerabilities that require chaining multiple requests, CVE-2026-45689 is exploitable with a single HTTP POST — the defining characteristic noted in the NVD advisory. This makes automated exploitation trivially simple and dramatically increases the risk of widespread abuse in the event of public PoC release.

Affected Versions

BranchFirst Safe Version
8.x (latest)8.5.0
8.4.x8.4.1
8.3.x8.3.3
8.2.x8.2.3
8.1.x8.1.4
8.0.x8.0.5
7.13.x7.13.7
7.10.x7.10.11

Detection

Check Rocket.Chat Version

# Via API (no authentication required)
curl -s https://your-rocketchat.example.com/api/info | jq '{version: .version}'

Suspicious OAuth Token Activity

# Check Rocket.Chat admin logs for unusual OAuth activity
# Administration → Logs → Filter by "oauth"
 
# In containerized deployments:
docker logs rocketchat 2>&1 | grep -i "oauth" | grep -v "200 OK"

Network-Level Detection

If your organization uses a WAF or IDS/IPS, create rules to flag POST requests to OAuth endpoints containing MongoDB operator keywords:

HTTP POST body contains: "$gt", "$ne", "$regex", "$where"
Destination: /api/v1/oauth/* OR /oauth/*

Indicators of Compromise

  • Users reporting unexpected sessions or messages they didn't send
  • OAuth tokens appearing in logs from unusual source IPs
  • API calls using tokens outside of normal working hours or geographic regions

Remediation

Upgrade Immediately

Both CVE-2026-45688 and CVE-2026-45689 are fixed in the same patch releases. Upgrade to the patched version for your active branch:

# Docker Compose example
# Edit docker-compose.yml: image: rocket.chat:8.5.0
docker compose pull && docker compose up -d
# Snap
sudo snap refresh rocketchat-server

Revoke All OAuth Tokens (Post-Incident)

If you suspect compromise, revoke all active OAuth tokens to force re-authentication:

// In Rocket.Chat admin shell (if accessible)
// Administration → OAuth Apps → Revoke all tokens
// Or via Rocket.Chat API (with admin credentials):
curl -H "X-Auth-Token: ADMIN_TOKEN" \
     -H "X-User-Id: ADMIN_USER_ID" \
     -X POST https://rocketchat.example.com/api/v1/users.logoutOtherClients

Temporary Mitigation

If an immediate upgrade is not possible:

  1. Disable OAuth-based login in Administration → OAuth → Third-party login
  2. Rotate all OAuth client secrets for registered applications
  3. Monitor login logs for anomalous activity while patching is in progress

Risk Context

These two Rocket.Chat CVEs are significant not just individually, but in combination:

  • Both are CVSS 9.1 — high severity with no authentication required
  • Both exploit the same root cause — indicating a systematic failure in input validation across authentication flows
  • Rocket.Chat is common in high-value environments — government agencies, defense contractors, and healthcare organizations use it for internal communications
  • Single-request exploitation (CVE-2026-45689) means an automated scanner could mass-exploit vulnerable instances within hours of a public PoC

Organizations running Rocket.Chat in any capacity should treat this as a P0 patch urgency.

References

  • NVD: CVE-2026-45689
  • Rocket.Chat Security Advisories
  • Rocket.Chat Releases

Published: June 25, 2026 — CosmicBytez Labs Security Team

Related Advisories

  • CVE-2026-45688: Rocket.Chat CAS MongoDB Operator Injection
#CVE#Rocket.Chat#MongoDB#Injection#OAuth#Token Hijack#authentication

Related Articles

CVE-2026-45688: Rocket.Chat CAS Login MongoDB Operator Injection (CVSS 9.1)

Critical unauthenticated account takeover vulnerability in Rocket.Chat's CAS login handler passes unsanitized client input directly into a MongoDB findOne...

5 min read

CVE-2026-8053: MongoDB Time-Series Out-of-Bounds Write

An authenticated user with database write privileges can trigger an out-of-bounds memory write in the mongod process via a flaw in MongoDB Server's...

3 min read

CVE-2026-41588: RELATE Courseware Timing Attack in Authentication (CVSS 9.0)

A timing attack vulnerability in RELATE's check_sign_in_key() function could allow attackers to infer valid sign-in keys through response time differences...

3 min read
Back to all Security Alerts