Main Vulnerability Database Vulnerabilities #VU131419

Improper Neutralization of Special Elements in Data Query Logic in Rocket.Chat - CVE-2026-45689

Published: May 14, 2026

Vulnerability identifier: #VU131419

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-45689

CWE-ID: CWE-943

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Rocket.Chat Technologies Corp.

Affected software:
Rocket.Chat

Detailed vulnerability description

The vulnerability allows a remote attacker to obtain OAuth access tokens for arbitrary users.

The vulnerability exists due to improper neutralization of special elements in data query logic in the /oauth/token endpoint when handling crafted HTTP POST requests with MongoDB query operators. A remote attacker can send a specially crafted request to obtain OAuth access tokens for arbitrary users.

Exploitation requires at least one active OAuth app and at least one stored refresh token on the target instance.

How to mitigate CVE-2026-45689

Install security update from vendor's website.

Sources

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-8p25-fm45-pjrw

Improper Neutralization of Special Elements in Data Query Logic in Rocket.Chat - CVE-2026-45689

Detailed vulnerability description

How to mitigate CVE-2026-45689

Sources

Please verify you're human