CVE-2026-45689
Deferred Deferred - Pending Action

Authentication Bypass via MongoDB Query Injection in Rocket.Chat

Vulnerability report for CVE-2026-45689, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with MongoDB query operators to /oauth/token. The Rocket.Chat OAuth2 server does not validate that grant parameters are strings before forwarding them to findOne({...}) against the oauth_apps and oauth_access_tokens collections, so an attacker substitutes {"$ne": null} for client_id, client_secret, and refresh_token and receives a freshly minted {access_token, refresh_token} pair bound to whichever user's refresh token Mongo returned first. The resulting access token is a first-class bearer credential against the full /api/v1/* surface as that user. By iterating with $nin / $regex operators the attacker walks the entire oauth_access_tokens collection, collecting one fresh access token per user per request. If any matched token belongs to an admin, the stolen bearer gives full admin API access (including Apps-Engine app installation, i.e. server-side code execution). No account, credentials, userId, or prior interaction with the instance are required. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rocket.chat rocket.chat to 8.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Rocket.Chat versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. An unauthenticated network attacker can obtain a valid OAuth access token for any user by sending a specially crafted HTTP POST request to the /oauth/token endpoint.

The issue arises because the OAuth2 server does not validate that grant parameters are strings before using them in a MongoDB query. By substituting MongoDB query operators like {$ne: null} for parameters such as client_id, client_secret, and refresh_token, the attacker tricks the server into returning a valid access token and refresh token pair for the first user token MongoDB returns.

The attacker can iterate through the tokens using other MongoDB operators to collect access tokens for all users, including administrators, without needing any credentials or prior interaction with the system.

Impact Analysis

This vulnerability allows an attacker to gain unauthorized access to any user's account on Rocket.Chat, including administrator accounts.

  • The attacker can impersonate users and access all API endpoints available to those users.
  • If an administrator's token is compromised, the attacker gains full admin API access, including the ability to install Apps-Engine apps, which can lead to server-side code execution.
  • No authentication or prior knowledge of user credentials is required, making the attack easy to perform remotely.
Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11.

This update addresses the issue where unauthenticated attackers could obtain valid OAuth access tokens by exploiting improper validation of grant parameters.

Compliance Impact

This vulnerability allows unauthenticated attackers to obtain valid access tokens for any user, including administrators, leading to unauthorized access to sensitive data and administrative functions.

Such unauthorized access can result in exposure or manipulation of personal and sensitive information, which may violate data protection regulations like GDPR and HIPAA that require strict access controls and protection of user data.

Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to failure to adequately protect user data and prevent unauthorized access.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized HTTP POST requests to the /oauth/token endpoint containing MongoDB query operators such as {"$ne": null} in the parameters client_id, client_secret, or refresh_token.

A practical detection method involves inspecting web server logs or network traffic for suspicious POST requests to /oauth/token that include MongoDB operators in the payload.

Example commands to detect such activity might include using tools like curl to simulate the attack or grep to search logs for suspicious patterns.

  • Using grep to find suspicious POST requests in access logs: grep -i 'POST /oauth/token' /var/log/nginx/access.log | grep '\$ne'
  • Using tcpdump or Wireshark to capture HTTP POST requests to /oauth/token and inspect payloads for MongoDB operators.
  • Using curl to test if the endpoint is vulnerable (for authorized testing only): curl -X POST https://your.rocket.chat.instance/oauth/token -d '{"client_id":{"$ne":null},"client_secret":{"$ne":null},"refresh_token":{"$ne":null}}' -H 'Content-Type: application/json'

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart