CVE-2026-55666: CWE-287: Improper Authentication in RocketChat Rocket.Chat
CVE-2026-55666 is a critical improper authentication vulnerability in Rocket.Chat affecting versions prior to 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1. The flaw occurs in the Apple OAuth login handler where the application improperly accepts an arbitrary email value if the Apple-issued JWT lacks an email claim. This allows attackers to forge JWTs without an email and potentially take over user accounts. The vulnerability has a CVSS 4.0 score of 9.3, indicating high severity. A fix is available in the stated versions. No known exploits in the wild have been reported.
AI Analysis
Technical Summary
Rocket.Chat versions prior to 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1 contain an improper authentication vulnerability (CWE-287) in the Apple OAuth login handler (apps/meteor/app/apple/server/loginHandler.ts). The handleIdentityToken function parses JWTs issued by Apple during OAuth. If the JWT lacks an email claim, the code falls back to accepting an arbitrary email value from the request, enabling attackers to forge JWTs without emails and perform account takeover attacks. This vulnerability is fixed in the listed versions.
Potential Impact
Successful exploitation allows attackers to bypass proper authentication by forging Apple JWTs without an email claim and supplying arbitrary email values, leading to account takeover. This compromises user accounts and potentially sensitive communications within Rocket.Chat.
Mitigation Recommendations
A fix is available in Rocket.Chat versions 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1. Users should upgrade to these versions or later to remediate the vulnerability. No vendor advisory is provided to indicate alternative mitigations or temporary fixes.
CVE-2026-55666: CWE-287: Improper Authentication in RocketChat Rocket.Chat
Description
CVE-2026-55666 is a critical improper authentication vulnerability in Rocket.Chat affecting versions prior to 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1. The flaw occurs in the Apple OAuth login handler where the application improperly accepts an arbitrary email value if the Apple-issued JWT lacks an email claim. This allows attackers to forge JWTs without an email and potentially take over user accounts. The vulnerability has a CVSS 4.0 score of 9.3, indicating high severity. A fix is available in the stated versions. No known exploits in the wild have been reported.
CVSS v4.0
Score 9.3critical
Affected software
pkg:github/rocketchat/Rocket.ChatRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Rocket.Chat versions prior to 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1 contain an improper authentication vulnerability (CWE-287) in the Apple OAuth login handler (apps/meteor/app/apple/server/loginHandler.ts). The handleIdentityToken function parses JWTs issued by Apple during OAuth. If the JWT lacks an email claim, the code falls back to accepting an arbitrary email value from the request, enabling attackers to forge JWTs without emails and perform account takeover attacks. This vulnerability is fixed in the listed versions.
Potential Impact
Successful exploitation allows attackers to bypass proper authentication by forging Apple JWTs without an email claim and supplying arbitrary email values, leading to account takeover. This compromises user accounts and potentially sensitive communications within Rocket.Chat.
Mitigation Recommendations
A fix is available in Rocket.Chat versions 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1. Users should upgrade to these versions or later to remediate the vulnerability. No vendor advisory is provided to indicate alternative mitigations or temporary fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-17T00:05:03.777Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3c501e4853345fc1e45c60
Added to database: 06/24/2026, 21:46:06 UTC
Last enriched: 06/24/2026, 22:01:30 UTC
Last updated: 06/24/2026, 23:39:49 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.