Rocket.Chat versions prior to 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0 contain a vulnerability (CWE-943) where the OAuth2 server does not properly neutralize special MongoDB query operators in grant parameters sent to the /oauth/token endpoint. An unauthenticated attacker can send specially crafted HTTP POST requests with MongoDB operators such as {$ne: null} for client_id, client_secret, and refresh_token fields. This causes the server to return a valid access token bound to a user whose refresh token is returned first by the database query. By iterating with other operators, the attacker can enumerate and obtain access tokens for all users, including administrators. These tokens provide full bearer access to the API, including administrative functions and server-side code execution via Apps-Engine. No authentication or prior knowledge is required. The issue is fixed in the listed patched versions.

An unauthenticated remote attacker can obtain valid OAuth access tokens for any user, including administrators, without credentials. This leads to full compromise of user accounts and administrative control over the Rocket.Chat instance via the API. The attacker can execute server-side code through administrative API access, resulting in complete system compromise. The vulnerability has a CVSS 3.1 score of 9.1 (critical) due to its ease of exploitation and high impact on confidentiality and integrity.

A fix is available in Rocket.Chat versions 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0. Users should upgrade to one of these versions or later to remediate this vulnerability. Patch status is confirmed by the vendor's versioning information. No other mitigations are indicated by the vendor advisory.