Skip to main content

Rocket.Chat CVE-2026-45688

| EUVDEUVD-2026-39093 CRITICAL
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-06-24 security-advisories@github.com
9.1
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

Remote unauthenticated DDP call with no user interaction (AV:N/AC:L/PR:N/UI:N); full account/instance takeover yields C:H/I:H, no availability impact, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 22:03 EUVD
Analysis Generated
Jun 24, 2026 - 21:37 vuln.today

DescriptionCVE.org

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's string parameter annotation is erased at runtime, so an unauthenticated attacker can substitute a MongoDB query operator ({"$gt": ""}, {"$ne": null}, etc.) for what the server expects to be an opaque ticket string. The injected operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket check entirely. When any legitimate CAS or SAML SSO login is in flight, the attacker's next DDP login call matches the same credential-token row via the NoSQL operator and is issued a full Meteor auth token (userId + token) bound to the victim. The token is immediately usable against the complete REST and DDP surface as that user. If the victim is an administrator, this escalates to full instance compromise via Apps-Engine app install. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

AnalysisAI

{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach Rocket.Chat DDP endpoint
Delivery
Time concurrent CAS/SAML login
Exploit
Send DDP login with NoSQL operator credentialToken
Install
Operator matches unexpired credential_tokens row
C2
Receive victim-bound Meteor auth token
Execute
Act over REST/DDP as victim
Impact
Install malicious app if admin

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Rocket.Chat instance has CAS (or SAML) SSO enabled, since the vulnerable code path is the CAS login handler - instances without external SSO configured are not exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Rocket.Chat DDP/REST endpoint waits for or induces a window when a legitimate CAS or SAML SSO login is in progress, then issues a DDP login call supplying options.cas.credentialToken as a MongoDB operator object such as {"$gt": ""} instead of a real ticket string. The operator matches the first unexpired row in credential_tokens, and the server returns a full auth token bound to the victim user, immediately usable across the entire REST and DDP surface. …
Remediation Upgrade to the fixed release on your branch - Vendor-released patch: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11 (choose the one matching your current major/minor line) per the advisory at https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-rr54-jf4h-6cj9. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all production Meteor applications; enable detailed authentication event logging to detect exploitation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy