CVE-2026-45688
Deferred Deferred - Pending Action

Authentication Bypass in Rocket.Chat via MongoDB Operator Injection

Vulnerability report for CVE-2026-45688, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's string parameter annotation is erased at runtime, so an unauthenticated attacker can substitute a MongoDB query operator ({"$gt": ""}, {"$ne": null}, etc.) for what the server expects to be an opaque ticket string. The injected operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket check entirely. When any legitimate CAS or SAML SSO login is in flight, the attacker's next DDP login call matches the same credential-token row via the NoSQL operator and is issued a full Meteor auth token (userId + token) bound to the victim. The token is immediately usable against the complete REST and DDP surface as that user. If the victim is an administrator, this escalates to full instance compromise via Apps-Engine app install. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rocket.chat rocket.chat to 8.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an unauthenticated attacker to hijack user sessions, including those of administrators, leading to full instance compromise and potential unauthorized access to sensitive data.

Such unauthorized access and potential data exfiltration could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over user data confidentiality and integrity.

Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to the compromise of user accounts and sensitive information.

Executive Summary

This vulnerability exists in Rocket.Chat's CAS login handler prior to certain fixed versions. The handler forwards a client-supplied credential token directly into a MongoDB query without checking its type at runtime. Because TypeScript's type annotations are erased at runtime, an attacker can replace the expected token string with a MongoDB query operator (like "$gt" or "$ne"). This causes the query to match the first unexpired credential token document, bypassing the CAS ticket verification.

When a legitimate CAS or SAML SSO login is in progress, the attacker can then use this bypass to obtain a full authentication token for the victim user. This token grants access to the REST and DDP interfaces as that user. If the victim is an administrator, the attacker can fully compromise the instance, including installing apps via the Apps-Engine.

The vulnerability is fixed in Rocket.Chat versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated attacker to bypass authentication and gain full access to a victim user's account on Rocket.Chat.

  • The attacker can obtain a Meteor authentication token for the victim user.
  • The attacker can access all REST and DDP interfaces as the victim user.
  • If the victim user is an administrator, the attacker can fully compromise the Rocket.Chat instance, including installing malicious apps.

Overall, this leads to unauthorized access, potential data exposure, and full system compromise.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized NoSQL query patterns targeting the CAS login handler endpoints, specifically the `/websocket` (Meteor DDP) or `/api/v1/login` endpoints on Rocket.Chat instances that have CAS or SAML configured and actively in use.

Detection involves looking for injected MongoDB query operators such as `{"$gt": ""}` or `{"$ne": null}` in the `credentialToken` parameter during login attempts, which are not expected in normal operation.

Since the attack requires a legitimate CAS or SAML SSO login to occur within a short time window, monitoring logs for rapid repeated login attempts or unusual authentication token issuance patterns may help identify exploitation attempts.

Suggested commands to detect suspicious activity could include:

  • Using network traffic capture tools like tcpdump or Wireshark to filter requests to `/api/v1/login` or `/websocket` endpoints and inspect payloads for MongoDB operators in the `credentialToken` field.
  • Example tcpdump command to capture relevant HTTP POST requests: `tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'credentialToken'`
  • Using application logs or Rocket.Chat server logs to search for login requests containing suspicious `credentialToken` values with MongoDB operators, e.g., `grep -E '\$gt|\$ne' /path/to/rocket.chat/logs`.
  • If access to the MongoDB instance is available, querying the `credential_tokens` collection for unexpected or malformed entries might help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45688. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart