CVE-2026-23477
📋 TL;DR
This vulnerability allows any authenticated Rocket.Chat user to access OAuth application credentials (client_id and client_secret) by querying the /api/v1/oauth-apps.get endpoint with a known application ID. This affects all Rocket.Chat instances running versions up to 6.12.0, regardless of user role or permissions.
💻 Affected Systems
- Rocket.Chat
📦 What is this software?
Rocket.chat by Rocket.chat
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal OAuth credentials to impersonate legitimate applications, potentially gaining unauthorized access to integrated services, performing account takeovers, or launching further attacks against connected systems.
Likely Case
Malicious insiders or compromised user accounts could harvest OAuth credentials, enabling them to access integrated third-party services or manipulate application integrations.
If Mitigated
With proper access controls and monitoring, the impact is limited to credential exposure requiring additional steps for exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. The endpoint is well-documented in the API.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.12.0
Vendor Advisory: https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2
Restart Required: Yes
Instructions:
1. Backup your Rocket.Chat instance and database. 2. Update Rocket.Chat to version 6.12.0 or later using your deployment method (Docker, Snap, manual). 3. Restart the Rocket.Chat service. 4. Verify the update was successful.
🔧 Temporary Workarounds
API Endpoint Restriction
allUse a reverse proxy or web application firewall to block access to the vulnerable endpoint for non-admin users.
# Example nginx location block
location /api/v1/oauth-apps.get {
deny all;
}
🧯 If You Can't Patch
- Implement strict access controls and monitoring for the /api/v1/oauth-apps.get endpoint.
- Rotate all OAuth client secrets and review integrated applications for unauthorized access.
🔍 How to Verify
Check if Vulnerable:
Check Rocket.Chat version via admin panel or API. If version is below 6.12.0, test authenticated access to GET /api/v1/oauth-apps.get with a known OAuth app ID.Check Version:
curl -s http://your-rocketchat-server/api/info | grep -o '"version":"[^"]*"'Verify Fix Applied:
After updating to 6.12.0+, verify that non-admin users receive permission errors when accessing the endpoint and that the version shows 6.12.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Multiple failed or successful requests to /api/v1/oauth-apps.get from non-admin users
- Unusual access patterns to OAuth-related endpoints
Network Indicators:
- HTTP GET requests to /api/v1/oauth-apps.get with OAuth app IDs in parameters
SIEM Query:
source="rocketchat" AND (url_path="/api/v1/oauth-apps.get" OR endpoint="oauth-apps.get") AND user_role!="admin"