Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45688

CVE-2026-45688: Rocket.Chat Auth Bypass Vulnerability

CVE-2026-45688 is an authentication bypass vulnerability in Rocket.Chat that allows attackers to hijack user sessions via NoSQL injection. This post covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-45688 Overview

CVE-2026-45688 is a NoSQL injection vulnerability in Rocket.Chat's Central Authentication Service (CAS) login handler. The flaw allows unauthenticated attackers to bypass CAS ticket validation by submitting a MongoDB query operator instead of an opaque credential token string. Successful exploitation hijacks any in-flight CAS or Security Assertion Markup Language (SAML) single sign-on (SSO) session and returns a valid Meteor authentication token bound to the victim user. When the victim holds administrator privileges, attackers gain full instance compromise through the Apps-Engine application install surface. The weakness is tracked under [CWE-943] Improper Neutralization of Special Elements in Data Query Logic.

Critical Impact

An unauthenticated attacker can hijack any concurrent CAS or SAML SSO login and obtain a full Meteor authentication token bound to the victim, including administrators.

Affected Products

  • Rocket.Chat versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, and 8.0.5
  • Rocket.Chat 7.x versions prior to 7.13.7
  • Rocket.Chat 7.10.x versions prior to 7.10.11

Discovery Timeline

  • 2026-06-24 - CVE-2026-45688 published to the National Vulnerability Database (NVD)
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-45688

Vulnerability Analysis

The vulnerability resides in Rocket.Chat's CAS login handler. The handler forwards the client-supplied options.cas.credentialToken value directly into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's string parameter annotation is erased at compile time, so the server cannot enforce the expected type during request handling.

An attacker substitutes a MongoDB operator object such as {"$gt": ""} or {"$ne": null} for the ticket string. The injected operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket check entirely. The vulnerability is classified under [CWE-943].

Root Cause

The root cause is missing runtime input validation on a security-critical query parameter. The codebase relies on TypeScript type annotations that do not exist at runtime, leaving the MongoDB query exposed to operator injection. Any value the client supplies is passed unchanged to the database driver.

Attack Vector

Exploitation requires network access to the Rocket.Chat login endpoint and a concurrent legitimate CAS or SAML SSO login in flight. The attacker sends a Distributed Data Protocol (DDP) login call containing a MongoDB operator in place of the credential token. The operator matches the victim's pending credential-token row, and the server issues a Meteor authentication token containing the victim's userId and session token. The attacker then uses this token against the full REST and DDP surface as that user. When the victim is an administrator, the attacker installs a malicious Apps-Engine application to achieve code execution on the instance.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-rr54-jf4h-6cj9 for technical details.

Detection Methods for CVE-2026-45688

Indicators of Compromise

  • DDP or REST login requests containing JSON objects in the credentialToken field rather than string values, such as {"$gt": ""} or {"$ne": null}
  • Successful CAS or SAML login events that lack a corresponding upstream identity provider assertion in CAS server logs
  • New Meteor authentication tokens issued to administrator accounts immediately following anomalous CAS handshakes
  • Apps-Engine app installations from administrator sessions that originate from unusual source addresses

Detection Strategies

  • Inspect application logs for credentialToken parameters whose serialized type is object rather than string
  • Correlate Rocket.Chat login success events against upstream CAS or SAML identity provider audit logs to flag unmatched sessions
  • Alert on administrator-tier session creation followed by Apps-Engine app install API calls within a short time window
  • Deploy web application firewall (WAF) rules that reject login payloads where the credential token field is not a primitive string

Monitoring Recommendations

  • Forward Rocket.Chat application logs and reverse proxy access logs to a centralized analytics platform for query inspection
  • Track the rate of CAS and SAML login failures and successes to detect bursts of injection attempts
  • Monitor MongoDB query patterns against the credential_tokens collection for unexpected operator usage

How to Mitigate CVE-2026-45688

Immediate Actions Required

  • Upgrade Rocket.Chat to a patched release: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11
  • Audit administrator accounts and installed Apps-Engine applications for unauthorized additions since the vulnerable version was deployed
  • Revoke all active Meteor authentication tokens to force re-authentication after upgrading
  • Rotate any secrets, API keys, and integration tokens that an attacker with administrator access could have exfiltrated

Patch Information

Rocket.Chat released fixes in versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. The patch adds runtime type validation on the credentialToken parameter before it reaches the MongoDB query. Patch details are documented in the Rocket.Chat Security Advisory GHSA-rr54-jf4h-6cj9.

Workarounds

  • Disable the CAS authentication integration until the instance is upgraded to a fixed version
  • Restrict network access to the Rocket.Chat login endpoints to trusted networks or identity provider source ranges
  • Apply a reverse proxy or WAF rule that rejects login requests where credentialToken is not a JSON string primitive
bash
# Example NGINX rule to block non-string credentialToken values
# Reject login payloads containing MongoDB operators in credentialToken
location /api/v1/login {
    if ($request_body ~* "\"credentialToken\"\s*:\s*\{") {
        return 400;
    }
    proxy_pass http://rocketchat_upstream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.