Improper Neutralization of Special Elements in Data Query Logic in Rocket.Chat - CVE-2026-45688
Published: May 14, 2026
Vulnerability identifier: #VU131420
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-45688
CWE-ID: CWE-943
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Rocket.Chat Technologies Corp.
Affected software:
Rocket.Chat
Rocket.Chat
Detailed vulnerability description
The vulnerability allows a remote attacker to hijack arbitrary CAS or SAML user sessions.
The vulnerability exists due to improper neutralization of special elements in data query logic in the CAS login handler when processing a client-supplied credentialToken value in a MongoDB query. A remote attacker can send a specially crafted login request with a MongoDB query operator to hijack arbitrary CAS or SAML user sessions.
Exploitation requires that CAS or SAML be configured and that a legitimate SSO login occur within the 60-second credential-token validity window.
How to mitigate CVE-2026-45688
Install security update from vendor's website.