CVE-2026-55666 Overview
CVE-2026-55666 is an authentication bypass vulnerability in Rocket.Chat, an open-source communications platform. The flaw exists in the Apple OAuth login handler at apps/meteor/app/apple/server/loginHandler.ts. The handleIdentityToken function parses a JSON Web Token (JWT) issued by Apple during the OAuth flow. When the JWT does not contain an email address, the application falls back to accepting an arbitrary email value supplied directly in the request. Attackers can forge Apple JWTs without an email claim and supply any victim email to take over accounts. The vulnerability is classified under [CWE-287] Improper Authentication.
Critical Impact
Unauthenticated remote attackers can take over arbitrary Rocket.Chat accounts by forging Apple JWTs that lack an email claim and supplying a target email in the request.
Affected Products
- Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13
- Deployments using Apple OAuth Sign-In integration
- Self-hosted and cloud Rocket.Chat instances with Apple identity provider enabled
Discovery Timeline
- 2026-06-24 - CVE-2026-55666 published to the National Vulnerability Database (NVD)
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-55666
Vulnerability Analysis
The vulnerability resides in the handleIdentityToken function within apps/meteor/app/apple/server/loginHandler.ts. This function processes the identity token returned by Apple during the Sign In with Apple OAuth handshake. The handler parses the JWT and inspects it for an email claim. When the email claim is absent from the token, the implementation does not reject the authentication attempt. Instead, control flow falls through to a path that accepts an arbitrary email value provided in the request payload by the client.
This fallback design assumes the request originates from a legitimate Apple OAuth flow. An attacker who can forge or supply a JWT without an email claim controls which account the server associates with the login. The server then issues a valid session for the email submitted by the attacker, completing account takeover without knowledge of the victim's credentials.
Root Cause
The root cause is improper authentication logic in the Apple identity token handler. The code trusts client-supplied input as an authoritative identity assertion when the cryptographically signed token omits the expected claim. There is no verification that the supplied email value originated from Apple or matches any value bound to the token.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker crafts a request to the Apple OAuth login endpoint containing a JWT without an email claim and includes the target user's email address in the request body. The server processes the request, falls through to the unsafe fallback branch, and authenticates the attacker as the victim. Administrative accounts are valid targets, enabling full compromise of the Rocket.Chat workspace.
No verified exploit code has been published. Technical details are available in the Rocket.Chat GitHub Security Advisory.
Detection Methods for CVE-2026-55666
Indicators of Compromise
- Authentication events in Rocket.Chat logs referencing the Apple OAuth login handler with missing or null email claims in the parsed JWT
- Successful logins for accounts that did not previously use Sign In with Apple
- Unexpected session creation followed by privilege changes, role grants, or integration token generation
- Anomalous source IP addresses or user agents associated with Apple OAuth login attempts
Detection Strategies
- Review Rocket.Chat server logs for Apple OAuth login attempts where the identity token lacks an email claim
- Correlate Apple login events with subsequent administrative actions performed by the affected account
- Audit account-link records to identify users whose Apple identity binding changed without a corresponding user-initiated action
- Alert on logins from accounts that have never previously authenticated via Apple OAuth
Monitoring Recommendations
- Forward Rocket.Chat application and authentication logs to a centralized SIEM for correlation
- Track baseline OAuth provider usage per user and flag deviations
- Monitor for spikes in failed-to-success authentication transitions on the Apple OAuth endpoint
- Enable audit logging for administrative role changes and API token issuance
How to Mitigate CVE-2026-55666
Immediate Actions Required
- Upgrade Rocket.Chat to a fixed version: 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13 as appropriate for the deployed release line
- Audit recent Apple OAuth login events and invalidate sessions for any account showing suspicious authentication
- Rotate API tokens, personal access tokens, and integration credentials for potentially affected accounts
- Review administrative role assignments and revert unauthorized changes
Patch Information
Rocket.Chat published fixes in versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. The patches correct the handleIdentityToken logic so that authentication is rejected when the Apple JWT does not contain a verified email claim. Patch details are available in the Rocket.Chat GitHub Security Advisory GHSA-wx3c-76rf-wpwf.
Workarounds
- Disable the Apple OAuth login provider in the Rocket.Chat administration panel until the patch is applied
- Restrict network access to the Rocket.Chat authentication endpoints from untrusted networks
- Enforce two-factor authentication for administrative and privileged accounts to limit impact of single-factor bypass
# Disable Apple OAuth via Rocket.Chat administration API until patched
curl -X POST "https://rocketchat.example.com/api/v1/settings/Accounts_OAuth_Apple" \
-H "X-Auth-Token: $ADMIN_TOKEN" \
-H "X-User-Id: $ADMIN_USER_ID" \
-H "Content-Type: application/json" \
-d '{"value": false}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

