HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55666Published Modified CNA GitHub_M

CVE-2026-55666: Rocket.Chat: Email Parameter Fallback Leads To Account Takeover Within Apple OAuth

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try block checks for an email parameter. If the JWT does not contain an email address, the application falls back to accepting an arbitrary email value supplied directly in the request. Attackers are able to forge Apple JWTs that do not contain an email address and leverage this vulnerability to carry out account takeover attacks. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in Rocket.Chat's Apple OAuth login handler. The flaw is reachable over the network with no authentication required, because the server-side JWT parser falls back to accepting an attacker-supplied email address when Apple's JWT omits one, allowing an attacker to forge an OAuth token and impersonate any account. Successful exploitation gives the attacker full control of the targeted Rocket.Chat account. No fix versions have been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-55666 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Rocket.Chat images in registries and CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.3 Critical and weighting it against each environment's compliance policy to route alerts to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable OAuth endpoint is exposed over the network, so an attacker must be able to reach the Rocket.Chat server via standard HTTPS.

  • AuthenticationNot required

    No credentials or existing session are needed; the attacker interacts with the unauthenticated Apple OAuth login flow directly.

  • Victim interactionNot required

    The attacker crafts and submits a forged JWT independently; no action by the target user is necessary.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable: forging a JWT without an email field requires no race conditions or special environmental factors.

Blast Radius

  • Attacker gains full authenticated access to the targeted Rocket.Chat account, reading all private messages, direct messages, and channel history.
  • Attacker can post messages, modify account settings, and exfiltrate any data the compromised account can access, including files and integrations.
  • If the targeted account holds admin privileges, the attacker inherits those privileges and can reconfigure the entire Rocket.Chat workspace.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-55666, HarborGuard continuously re-checks the advisory on every feed ingest cycle and will trigger a patched-image rebuild the moment fix versions are published upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth evaluating include network-policy rules that restrict Apple OAuth callback access to known IP ranges, feature-flag gating to disable Apple OAuth login entirely if it is not in active use, and egress filtering to limit outbound OAuth traffic to Apple's canonical endpoints only. HarborGuard will surface this CVE in scan results for any image running an affected Rocket.Chat version until a patched image becomes available.

See how HarborGuard automates this
Affected packages
  • RocketChat / Rocket.Chat
    >= 8.5.0-rc.0, < 8.5.1 · >= 8.4.0-rc.0, < 8.4.4 · >= 8.3.0-rc.0, < 8.3.6 · >= 8.2.0-rc.0, < 8.2.6 · >= 8.1.0-rc.0, < 8.1.6 · >= 7.11.0-rc.0, < 8.0.7
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References