Threat Intelligence Database

A missing authorization vulnerability exists in Rocket.Chat versions prior to 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1 in the POST /api/v1/fingerprint REST endpoint. Although authentication is required, the endpoint does not verify user authorization, allowing any authenticated user, including those with standard user roles, to deregister the workspace from Rocket.Chat Cloud. This action removes cloud credentials, the workspace license, and disables push notifications, requiring manual re-registration to restore functionality. The vulnerability has a high severity with a CVSS score of 8.1. Fixed versions addressing this issue are 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1.

Rocket.Chat versions prior to 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1 contain an authentication vulnerability in the Apple Sign-In handler. The handler verifies JWT signatures but does not validate claims such as audience, expiration, not-before, or nonce. This allows an attacker with access to a user's Apple identity token to replay it and authenticate as that user indefinitely. The issue is fixed in the specified versions.

CVE-2026-55666 is a critical improper authentication vulnerability in Rocket.Chat affecting versions prior to 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1. The flaw occurs in the Apple OAuth login handler where the application improperly accepts an arbitrary email value if the Apple-issued JWT lacks an email claim. This allows attackers to forge JWTs without an email and potentially take over user accounts. The vulnerability has a CVSS 4.0 score of 9.3, indicating high severity. A fix is available in the stated versions. No known exploits in the wild have been reported.

Rocket.Chat versions prior to 7.10.12, 7.13.8, 8.0.6, 8.1.5, 8.2.4, 8.3.4, 8.4.2, and 8.5.0 do not revoke OAuth bearer or refresh tokens when a user is deactivated. This allows a deactivated user to continue using existing OAuth access tokens and mint new access tokens from existing refresh tokens. The issue is addressed in the specified fixed versions.

Rocket.Chat versions prior to 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0 contain a vulnerability in their SAML service provider implementation. When the IdP certificate field is left empty, the system skips verification of SAML Response and Assertion signatures, allowing authentication bypass via unsigned or attacker-supplied assertions. This occurs by default if an administrator enables SAML without configuring the IdP certificate. The issue is fixed in the listed versions.

CVE-2026-45689 is a critical vulnerability in Rocket.Chat prior to versions 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0. It allows an unauthenticated attacker to obtain valid OAuth access tokens for arbitrary users by exploiting improper input validation in the OAuth token endpoint. This enables the attacker to impersonate users, including administrators, and gain full API access without any credentials or prior interaction. The vulnerability arises from the server failing to validate that grant parameters are strings before using them in MongoDB queries, allowing injection of query operators to bypass authentication controls.

CVE-2026-45688 is a critical vulnerability in Rocket.Chat prior to versions 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0. It involves improper neutralization of special elements in data query logic within the CAS login handler, allowing unauthenticated attackers to bypass CAS ticket checks by injecting MongoDB query operators. Successful exploitation can lead to full authentication as a victim user, including administrators, resulting in complete instance compromise. The vulnerability has a CVSS score of 9.1 (critical).

Rocket.Chat versions prior to 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0 contain a vulnerability in their SAML integration where inbound LogoutRequest messages do not have their signatures verified. An unauthenticated attacker who knows a target user's SAML NameID can send unsigned LogoutRequest messages to forcibly log out the user without their interaction. This can be exploited repeatedly to disrupt user sessions and render the service unusable for SAML-authenticated users. The vulnerability is identified as CWE-862 (Missing Authorization) and has a high severity with a CVSS score of 8.7. Fixes are available in the listed versions.