CVE-2026-23477 is a vulnerability classified under CWE-269 (Improper Privilege Management) and CWE-862 (Missing Authorization) affecting Rocket.Chat, an open-source communication platform widely used for team collaboration. In versions prior to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is improperly exposed to any authenticated user without adequate permission checks. This endpoint returns details of OAuth applications if the user provides a valid OAuth app ID. Critically, the response includes sensitive fields such as client_id and client_secret, which are credentials used to authenticate OAuth clients. Exposure of these credentials can allow attackers to impersonate legitimate OAuth clients, potentially gaining unauthorized access to integrated services or escalating privileges within the environment. The vulnerability has a CVSS v3.1 score of 7.7 (high severity), reflecting its network attack vector, low attack complexity, requirement for only low privileges (authenticated user), no user interaction, and a scope change due to potential compromise beyond the initial system. Although no public exploits have been reported, the risk is significant given the sensitivity of OAuth credentials. The vulnerability was publicly disclosed and fixed in Rocket.Chat version 6.12.0, which implements proper authorization checks to restrict access to this endpoint based on user roles and permissions. Organizations running affected versions should upgrade promptly to prevent unauthorized disclosure of OAuth credentials.

For European organizations, the impact of this vulnerability can be substantial. Rocket.Chat is commonly used in enterprises, government agencies, and critical infrastructure sectors for secure communications. Exposure of OAuth client credentials can lead to unauthorized access to connected services, data leakage, and potential lateral movement within networks. This could compromise confidentiality of sensitive communications and integrated applications. Since the vulnerability requires only authenticated access, any compromised or malicious internal user can exploit it, increasing insider threat risks. The lack of integrity or availability impact reduces the chance of direct service disruption, but the confidentiality breach alone can have severe regulatory and reputational consequences under GDPR and other data protection laws. Organizations in sectors with stringent compliance requirements, such as finance, healthcare, and public administration, are particularly vulnerable. The potential for scope change means attackers could leverage stolen credentials to access other systems, amplifying the overall risk.

1. Upgrade all Rocket.Chat instances to version 6.12.0 or later immediately to apply the official fix that enforces proper authorization on the OAuth apps API endpoint. 2. Audit existing OAuth applications and rotate client secrets to invalidate any potentially compromised credentials. 3. Implement strict access controls and monitoring on Rocket.Chat authentication to detect anomalous access patterns, especially from low-privilege accounts. 4. Limit the number of users with authenticated access to Rocket.Chat and enforce strong authentication mechanisms such as MFA. 5. Review and restrict API access logs to identify any unauthorized queries to the /api/v1/oauth-apps.get endpoint. 6. Educate users about the risks of credential exposure and encourage reporting of suspicious activity. 7. Consider network segmentation to isolate Rocket.Chat servers and reduce exposure to internal threats. 8. Employ runtime application self-protection (RASP) or web application firewalls (WAF) to detect and block unauthorized API calls if upgrading is temporarily not feasible.