CVE-2026-23477 is a vulnerability classified under CWE-269 (Improper Privilege Management) and CWE-862 (Missing Authorization) affecting Rocket.Chat, an open-source communication platform widely used for secure messaging and collaboration. In versions prior to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is accessible to any authenticated user regardless of their assigned roles or permissions. This endpoint returns details of OAuth applications if the user provides a valid application ID. Critically, the response includes sensitive fields such as client_id and client_secret, which are credentials used to authenticate OAuth clients. Exposure of these credentials can lead to unauthorized access to OAuth-protected resources, impersonation of legitimate applications, and potential lateral movement within affected environments. The vulnerability does not require user interaction and can be exploited remotely over the network, but does require the attacker to be authenticated on the Rocket.Chat instance. The CVSS v3.1 base score is 7.7, reflecting high severity due to the ease of exploitation (low attack complexity), network vector, and high confidentiality impact, while integrity and availability remain unaffected. No known exploits in the wild have been reported as of the publication date. The issue was addressed in Rocket.Chat version 6.12.0 by enforcing proper authorization checks on the endpoint to restrict access to users with appropriate privileges.

For European organizations, this vulnerability poses a significant risk to the confidentiality of OAuth credentials used within Rocket.Chat deployments. Unauthorized disclosure of client_id and client_secret can enable attackers to impersonate legitimate OAuth clients, potentially gaining unauthorized access to internal services or third-party integrations relying on these credentials. This can lead to data breaches, unauthorized data access, and compromise of internal communication channels. Given Rocket.Chat's use in sectors such as government, finance, healthcare, and critical infrastructure across Europe, exploitation could disrupt secure communications and expose sensitive organizational data. While the vulnerability does not directly impact system integrity or availability, the indirect effects of compromised OAuth credentials could facilitate further attacks or data exfiltration. Organizations with large user bases or those integrating Rocket.Chat with critical business applications are at higher risk. The requirement for authentication limits exposure to insiders or compromised accounts, but the lack of role-based access control on this endpoint broadens the attack surface within the organization.

European organizations should immediately upgrade all Rocket.Chat instances to version 6.12.0 or later to remediate this vulnerability. Until patching is possible, restrict access to the Rocket.Chat API endpoints by implementing network-level controls such as IP whitelisting and VPN access to limit authenticated users to trusted personnel only. Review and tighten user role assignments and permissions within Rocket.Chat to minimize the number of users with access to sensitive API endpoints. Implement monitoring and alerting on unusual API access patterns, especially requests to /api/v1/oauth-apps.get, to detect potential exploitation attempts. Rotate OAuth client secrets associated with Rocket.Chat integrations to invalidate any potentially compromised credentials. Conduct regular audits of OAuth applications registered in Rocket.Chat to ensure only authorized applications exist. Additionally, enforce strong authentication mechanisms (e.g., MFA) for Rocket.Chat users to reduce the risk of account compromise. Finally, educate users and administrators about the importance of safeguarding OAuth credentials and promptly applying security updates.