VYPR
Vypr IntelligenceAI-generatedJun 24, 2026· 12 CVEs

Rocket.Chat: Twelve Vulnerabilities Disclosed, Threatening Authentication and Data Integrity

A coordinated disclosure on June 24, 2026, revealed twelve critical vulnerabilities in Rocket.Chat, affecting authentication, data security, and SSO mechanisms.

Key findings

  • Twelve Rocket.Chat vulnerabilities disclosed on June 24, 2026, impact authentication, data handling, and SSO.
  • Multiple CVEs allow account takeover via NoSQL injection in OAuth2 and CAS login handlers.
  • Token validation flaws in Apple Sign-In and persistent tokens after deactivation pose significant risks.
  • Unprotected API endpoints and data export vulnerabilities enable unauthorized access and data theft.
  • SAML signature validation skips and XSS in markdown images are also among the disclosed flaws.
  • Patches are available in various versions including 8.5.1, 8.5.0, and older releases; prompt updates are critical.

On June 24, 2026, a significant batch of twelve vulnerabilities was disclosed for Rocket.Chat, a popular open-source communication platform. These vulnerabilities, all disclosed on the same day, span various components and impact authentication, authorization, and data handling, with several allowing for account takeover or sensitive data exposure. The disclosures highlight critical weaknesses in how Rocket.Chat handles authentication mechanisms, including OAuth, SAML, and its internal API endpoints.

Several vulnerabilities center on authentication bypass and token manipulation. CVE-2026-55759 and CVE-2026-55666 reveal flaws in the Apple Sign-In integration, where JWT claims validation is skipped, and email parameters are mishandled, potentially allowing for expired token replay and account takeover. Similarly, CVE-2026-45689 and CVE-2026-45688 detail pre-authentication NoSQL injection vulnerabilities in the OAuth2 Token Endpoint and CAS Login Handler, respectively, enabling arbitrary user account takeover and session hijacking.

Further complicating authentication security, CVE-2026-49277 and CVE-2026-45757 indicate that OAuth access and refresh tokens, as well as login tokens, are not properly revoked upon user deactivation, allowing continued access even after an account is marked inactive. CVE-2026-55762 points to an unprotected /api/v1/fingerprint endpoint that allows any authenticated user to permanently deregister a workspace from Rocket.Chat Cloud.

Data export and integrity are also affected. CVE-2026-45687 describes an authenticated arbitrary data export vulnerability via mass assignment in the sendFileMessage method, allowing attackers to exfiltrate data by manipulating file objects. CVE-2026-49278 highlights a Livechat Visitor Profile Disclosure vulnerability where the visitor's bearer token is leaked in the API response, enabling visitor impersonation.

Security for Single Sign-On (SSO) integrations, specifically SAML, is also impacted. CVE-2026-46423 and CVE-2026-45677 reveal that SAML signature validation is skipped under certain conditions, both during login (when the IdP certificate field is empty) and during logout (allowing for potential Denial of Service).

Finally, CVE-2026-47733 addresses a cross-site scripting (XSS) vulnerability due to missing URL protocol sanitization in the ImageElement component, which allows for the rendering of javascript: URLs in markdown images, potentially leading to script execution in the context of the user's browser.

The affected versions for most of these vulnerabilities include versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13 for the authentication-related issues, and prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 for data handling and token-related issues. Specific versions for SAML and image rendering vulnerabilities also vary. Users are strongly advised to update to the patched versions to mitigate these risks.

This coordinated disclosure of twelve vulnerabilities underscores the importance of regular security audits and timely patching for communication platforms like Rocket.Chat. The breadth of issues, from authentication bypass to data exfiltration and XSS, presents a significant risk to organizations relying on Rocket.Chat for their internal and external communications. Promptly applying the available security updates is crucial to protect sensitive data and maintain the integrity of user sessions.

The patched versions for these vulnerabilities include:

It is imperative for administrators to consult the official Rocket.Chat security advisories for precise version information and upgrade paths.

The vulnerabilities disclosed on June 24, 2026, represent a critical security event for Rocket.Chat users. The batch includes multiple authentication bypass flaws, token-related vulnerabilities, and data exposure risks, necessitating immediate attention from system administrators. The range of affected versions indicates that a broad spectrum of Rocket.Chat deployments may be at risk if not updated promptly.

The coordinated disclosure of these twelve CVEs highlights a concentrated effort to address significant security weaknesses within the Rocket.Chat platform. The vulnerabilities span critical areas such as authentication, authorization, and data handling, with several allowing for unauthorized access and account takeover.

Key areas of concern include:

  • Authentication Flaws: Multiple vulnerabilities (CVE-2026-55759, CVE-2026-55666, CVE-2026-45689, CVE-2026-45688) allow attackers to bypass authentication or hijack sessions, often through injection attacks or improper validation of third-party authentication tokens.
  • Token Management Issues: CVE-2026-49277 and CVE-2026-45757 show that OAuth and login tokens are not invalidated upon user deactivation, posing a persistent risk.
  • API and Endpoint Vulnerabilities: CVE-2026-55762 demonstrates an unprotected API endpoint that can be abused by authenticated users to deregister workspaces.
  • Data Exposure: CVE-2026-49278 and CVE-2026-45687 highlight risks of sensitive data leakage and arbitrary data export.
  • SSO and SAML Weaknesses: CVE-2026-46423 and CVE-2026-45677 indicate potential bypasses in SAML signature validation, impacting secure single sign-on.
  • Cross-Site Scripting (XSS): CVE-2026-47733 points to a rendering vulnerability that could lead to script execution via specially crafted markdown images.

Administrators should prioritize updating their Rocket.Chat instances to the patched versions specified in the advisories to mitigate these widespread security risks.

The patched versions for these vulnerabilities include:

It is imperative for administrators to consult the official Rocket.Chat security advisories for precise version information and upgrade paths. The timely application of these patches is essential for maintaining the security and integrity of Rocket.Chat deployments.

AI-written article. Grounded in 12 CVE records listed below.