Skip to main content

Rocket.Chat EUVDEUVD-2026-39120

| CVE-2026-55759 HIGH
Improper Authentication (CWE-287)
2026-06-24 GitHub_M
7.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Network-reachable and unauthenticated to Rocket.Chat (PR:N), but AC:H because the attacker must first obtain a valid Apple token; full account takeover gives C:H/I:H, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 23:03 EUVD
Analysis Generated
Jun 24, 2026 - 22:15 vuln.today
CVE Published
Jun 24, 2026 - 21:07 cve.org
HIGH 7.4

DescriptionCVE.org

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted regardless of aud, exp, nbf, or nonce. An attacker who obtains a target user's Apple identity token (from server logs, an intercepted sign-in flow, or another application sharing the same Apple developer team) can replay it to authenticate as that user, with no expiration on the replay window. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

AnalysisAI

Authentication bypass in Rocket.Chat's Apple Sign-In handler allows attackers to impersonate any user by replaying a captured Apple identity token. The handler verifies the JWT signature but skips validation of the aud, exp, nbf, and nonce claims, so any Apple-signed token with a non-empty iss is accepted indefinitely with no replay-window expiry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain victim's Apple-signed JWT (logs/intercept/sibling app)
Delivery
Submit token to Rocket.Chat Apple Sign-In endpoint
Exploit
Signature passes, claims unchecked
Execution
Authenticated as victim user
Impact
Access victim account data and impersonate

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Rocket.Chat server has the 'Sign in with Apple' authentication method enabled, and that the attacker possesses a valid, Apple-signed identity token (JWT) for the victim user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, base 7.4) is internally consistent with the description: exploitation is network-reachable and unauthenticated to Rocket.Chat itself (PR:N), but rated high complexity (AC:H) because the attacker must first obtain a valid Apple identity token for the target - from server logs, an intercepted sign-in flow, or a co-located app sharing the same Apple developer team. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains a target user's Apple identity token - for example by reading it from exposed Rocket.Chat or reverse-proxy logs, intercepting it during a sign-in flow, or extracting it from a separate app that shares the victim organization's Apple developer team. They then submit that Apple-signed JWT to the vulnerable Rocket.Chat Apple Sign-In endpoint, which accepts it because only the signature and a non-empty iss are checked, and are authenticated as the victim. …
Remediation Vendor-released patch: upgrade to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13 - choose the patched release matching your current minor branch, per the advisory at https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-c75c-5hc7-j4vp. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Rocket.Chat deployments and identify versions currently in use; confirm whether Apple Sign-In authentication is enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-22910 CRITICAL POC
9.8 Aug 09

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an

CVE-2021-22911 CRITICAL POC
9.8 May 27

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti

CVE-2022-35248 HIGH POC
8.8 Sep 23

A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentic

CVE-2022-32211 HIGH POC
8.8 Sep 23

A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retriev

CVE-2024-39713 HIGH POC
8.6 Aug 05

A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. Rated high sev

CVE-2021-22892 HIGH POC
7.5 May 27

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed ema

CVE-2022-30124 MEDIUM POC
6.8 Sep 23

An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with ph

CVE-2022-32227 MEDIUM POC
6.5 Sep 23

A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth token

CVE-2022-32220 MEDIUM POC
6.5 Sep 23

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server meth

CVE-2021-32832 MEDIUM POC
6.5 Aug 30

Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity

CVE-2020-15926 MEDIUM POC
6.1 Aug 18

Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct

CVE-2019-17220 MEDIUM POC
6.1 Oct 21

Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rated medium severity (CVSS 6.1), this vulnerability i

Share

EUVD-2026-39120 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy