CVE-2026-45688: Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML User Session Hijack
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's string parameter annotation is erased at runtime, so an unauthenticated attacker can substitute a MongoDB query operator ({"$gt": ""}, {"$ne": null}, etc.) for what the server expects to be an opaque ticket string. The injected operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket check entirely. When any legitimate CAS or SAML SSO login is in flight, the attacker's next DDP login call matches the same credential-token row via the NoSQL operator and is issued a full Meteor auth token (userId + token) bound to the victim. The token is immediately usable against the complete REST and DDP surface as that user. If the victim is an administrator, this escalates to full instance compromise via Apps-Engine app install. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A pre-authentication NoSQL injection vulnerability exists in Rocket.Chat's CAS login handler. An unauthenticated attacker reachable over the network can substitute a MongoDB query operator for the expected CAS ticket string, bypassing the credential check entirely and hijacking an in-flight CAS or SAML session to obtain a valid auth token bound to the victim user. Successful exploitation gives the attacker full read and write access to the Rocket.Chat instance as the victim, and if the victim holds administrator privileges, this extends to complete instance compromise via Apps-Engine. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Rocket.Chat images in CI pipelines and production registries. Any image carrying an affected version of Rocket.Chat is flagged immediately on ingest.
AvailableHarborGuard scores this CVE at CVSS 9.1 (Critical) and applies per-environment compliance policy weighting to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo fix versions have been published upstream for this CVE at this time. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a fix. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Rocket.Chat DDP or HTTP endpoint over the network; no prior foothold on the host is needed.
- AuthenticationNot required
No account or credentials are required; the injection occurs in the unauthenticated CAS login handler before any session is established.
- Victim interactionNot required
The attacker does not need the victim to click anything; the only dependency is that a legitimate CAS or SAML login flow is in flight at the time of the attack.
- Attack complexityDetail
The exploit is reliable and condition-free from the attacker's side; the only environmental factor is the timing window created by a concurrent legitimate SSO login, which the attacker can observe or retry.
Blast Radius
- Reads and exfiltrates all messages, files, and channel content accessible to the hijacked user account.
- Writes messages, modifies channel settings, and alters user data on the full REST and DDP API surface as the victim.
- If the hijacked account is an administrator, installs a malicious Rocket.Chat App via Apps-Engine, achieving arbitrary server-side code execution and full instance compromise.
- Extracts stored session tokens and credentials for other users visible to the hijacked account, enabling lateral movement to additional accounts.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously monitors this advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. In the interim, compensating controls are worth considering: network-policy isolation to restrict which clients can reach the Rocket.Chat DDP and CAS endpoints (reducing the pool of potential attackers), disabling CAS and SAML SSO login entirely if those flows are not required, and egress filtering to prevent a compromised instance from reaching internal infrastructure. For customers with auto-remediation enabled, once upstream publishes a fix the pipeline will automatically rebuild the image, run regression tests, and open a PR against affected workloads. Given the critical CVSS score of 9.1 and the zero-authentication requirement, this CVE should be treated as high priority for any environment running an affected Rocket.Chat version with CAS or SAML SSO enabled.
- RocketChat / Rocket.Chat>= 8.5.0-rc.0, < 8.5.0 · >= 8.4.0-rc.0, < 8.4.1 · >= 8.3.0-rc.0, < 8.3.3 · >= 8.2.0-rc.0, < 8.2.3 · >= 8.1.0-rc.0, < 8.1.4 · >= 8.0.0-rc.0, < 8.0.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N