SB2026051449 - Multiple vulnerabilities in Rocket.Chat

Description

This security bulletin contains information about 5 vulnerabilities.

1) Improper Verification of Cryptographic Signature (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass authentication and impersonate arbitrary users.

The vulnerability exists due to improper verification of cryptographic signature in the SAML signature verification routine when processing SAML responses with an empty configured IdP certificate field. A remote attacker can submit a crafted unsigned or attacker-supplied SAML assertion to bypass authentication and impersonate arbitrary users.

The issue is reachable when SAML is enabled and the IdP certificate field is left at its default empty value.

2) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-45687)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the sendFileMessage DDP method and upload record handling when processing an attacker-supplied file object. A remote user can modify writable fields such as the storage backend and path on their own upload record to disclose sensitive information.

Exploitation requires an authenticated non-admin account and a cloud-backed upload backend such as Google Cloud Storage or Amazon S3. The victim must have previously generated a data export, and the export path is deterministic from the instance identifier and the victim user ID.

3) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-45688)

The vulnerability allows a remote attacker to hijack arbitrary CAS or SAML user sessions.

The vulnerability exists due to improper neutralization of special elements in data query logic in the CAS login handler when processing a client-supplied credentialToken value in a MongoDB query. A remote attacker can send a specially crafted login request with a MongoDB query operator to hijack arbitrary CAS or SAML user sessions.

Exploitation requires that CAS or SAML be configured and that a legitimate SSO login occur within the 60-second credential-token validity window.

4) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-45689)

The vulnerability allows a remote attacker to obtain OAuth access tokens for arbitrary users.

The vulnerability exists due to improper neutralization of special elements in data query logic in the /oauth/token endpoint when handling crafted HTTP POST requests with MongoDB query operators. A remote attacker can send a specially crafted request to obtain OAuth access tokens for arbitrary users.

Exploitation requires at least one active OAuth app and at least one stored refresh token on the target instance.

5) Missing Authentication for Critical Function (CVE-ID: CVE-2026-45677)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper authentication in SAML logout request processing when handling inbound LogoutRequest messages at the SP logout endpoint. A remote attacker can submit a valid-looking unsigned LogoutRequest for a target user to cause a denial of service.

Exploitation requires knowledge of the target user's SAML NameID.

Remediation

Install update from vendor's website.

References

• https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-rgg7-qvp9-wvx7
• https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-fhc2-x8cp-c5ch
• https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-rr54-jf4h-6cj9
• https://github.com/RocketChat/Rocket.Chat/blob/8.3.2/apps/meteor/server/lib/cas/loginHandler.ts#L12-L21
• https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-8p25-fm45-pjrw
• https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-pw6f-q8ww-vqfq