CVE-2026-45689: Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User ATO
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with MongoDB query operators to /oauth/token. The Rocket.Chat OAuth2 server does not validate that grant parameters are strings before forwarding them to findOne({...}) against the oauth_apps and oauth_access_tokens collections, so an attacker substitutes {"$ne": null} for client_id, client_secret, and refresh_token and receives a freshly minted {access_token, refresh_token} pair bound to whichever user's refresh token Mongo returned first. The resulting access token is a first-class bearer credential against the full /api/v1/* surface as that user. By iterating with $nin / $regex operators the attacker walks the entire oauth_access_tokens collection, collecting one fresh access token per user per request. If any matched token belongs to an admin, the stolen bearer gives full admin API access (including Apps-Engine app installation, i.e. server-side code execution). No account, credentials, userId, or prior interaction with the instance are required. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Pre-authentication NoSQL injection in Rocket.Chat's OAuth2 token endpoint allows a remote, unauthenticated attacker to obtain valid bearer tokens for arbitrary users by substituting MongoDB query operators for expected string parameters. The vulnerability is reachable over the network with no credentials, no prior session, and no victim interaction required. Successful exploitation gives the attacker full API access as any targeted user, including admin-level access that enables server-side code execution via Apps-Engine installation. No fix versions have been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships one.
HarborGuard Coverage
Detection of CVE-2026-45689 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected Rocket.Chat base layers. Any image containing an affected version of Rocket.Chat is flagged automatically in both registry scans and CI pipeline checks.
AvailableHarborGuard surfaces this CVE with its full CVSS v3.1 score of 9.1 (CRITICAL), weighted further by any per-environment compliance policy that prioritizes unauthenticated remote code execution risks. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableBecause no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, customers can use HarborGuard's policy engine to flag or block deployment of images containing affected Rocket.Chat versions and to apply network-isolation compensating controls.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP POST requests to the Rocket.Chat instance's /oauth/token endpoint.
- AuthenticationNot required
No account, credentials, or prior session are needed; the injection point is in a pre-authentication code path.
- Victim interactionNot required
The attack is fully server-side; no user needs to click a link, open a file, or take any action.
- Attack complexityDetail
The exploit is reliable and condition-free: a single crafted HTTP POST with MongoDB operator substitution is sufficient, with no race conditions or environmental factors to overcome.
Blast Radius
- Reads valid OAuth access tokens and refresh tokens bound to any user account in the oauth_access_tokens collection, including admin accounts.
- Authenticates to the full /api/v1/* REST API surface as any harvested user, reading private messages, files, and channel history.
- Modifies user data, channel settings, or workspace configuration by issuing authenticated write requests under a stolen user identity.
- If any harvested token belongs to an admin, installs a malicious Apps-Engine application, achieving arbitrary server-side code execution on the Rocket.Chat host.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists for CVE-2026-45689 at this time, HarborGuard re-evaluates the advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment fix versions (expected at 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11) are confirmed upstream. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads without manual intervention. In the interim, compensating controls available through HarborGuard's policy engine include: flagging or hard-blocking deployment of images containing affected Rocket.Chat versions; recommending network-policy isolation that restricts inbound access to /oauth/token to known internal CIDR ranges only; and enabling egress filtering to limit lateral movement if a token is stolen. Given the critical severity and zero-precondition exploit path, customers running affected versions should treat this as requiring immediate containment action rather than scheduled remediation.
- RocketChat / Rocket.Chat>= 8.5.0-rc.0, < 8.5.0 · >= 8.4.0-rc.0, < 8.4.1 · >= 8.3.0-rc.0, < 8.3.3 · >= 8.2.0-rc.0, < 8.2.3 · >= 8.1.0-rc.0, < 8.1.4 · >= 8.0.0-rc.0, < 8.0.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N