CVE Catalog

CVE-2026-45688

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile — higher than 21% of all known CVEs

Summary

In Rocket.Chat before versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, the CAS login handler forwards the client-supplied `credentialToken` value directly into a MongoDB `findOne({_id: ...})` query without any runtime type check. An unauthenticated attacker can substitute a NoSQL query operator (e.g., `{"$gt": ""}`) for the expected ticket string, matching the first unexpired document in the `credential_tokens` collection and completely bypassing the CAS ticket check.

Risk Assessment

An attacker can hijack the authentication session of any user currently logging in via CAS or SAML SSO, obtaining a full Meteor auth token (userId + token). If the victim is an administrator, the attacker can install apps via Apps-Engine, leading to full instance compromise.

Recommendation

Immediately upgrade Rocket.Chat to one of the patched versions: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11. If upgrading is not possible, temporarily disable CAS and SAML SSO login.

Original NVD description (English source)

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's string parameter annotation is erased at runtime, so an unauthenticated attacker can substitute a MongoDB query operator ({"$gt": ""}, {"$ne": null}, etc.) for what the server expects to be an opaque ticket string. The injected operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket check entirely. When any legitimate CAS or SAML SSO login is in flight, the attacker's next DDP login call matches the same credential-token row via the NoSQL operator and is issued a full Meteor auth token (userId + token) bound to the victim. The token is immediately usable against the complete REST and DDP surface as that user. If the victim is an administrator, this escalates to full instance compromise via Apps-Engine app install. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS