Plattform
nodejs
Komponente
rocket.chat
Behoben in
6.12.1
CVE-2026-23477 is a high-severity vulnerability affecting Rocket.Chat versions up to 6.12.0. This flaw allows authenticated users to access sensitive OAuth application details, including client IDs and secrets, by exploiting the exposed /api/v1/oauth-apps.get endpoint. The vulnerability is resolved in version 6.12.0, and users are strongly advised to upgrade.
The primary impact of CVE-2026-23477 is the exposure of OAuth application credentials. An attacker who can exploit this vulnerability can gain access to OAuth applications configured within the Rocket.Chat instance. This could lead to unauthorized access to third-party services integrated with Rocket.Chat, potentially allowing attackers to impersonate users, access sensitive data, or perform actions on behalf of the application. The blast radius extends to any services relying on the compromised OAuth applications, making this a significant security risk. The exposed client secrets could be used to create malicious integrations or to bypass authentication mechanisms, effectively granting an attacker privileged access.
CVE-2026-23477 was publicly disclosed on 2026-01-14. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the sensitivity of the exposed data make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability is straightforward to exploit given authenticated access.
Organizations using Rocket.Chat with OAuth applications are at risk, particularly those with lax access controls or legacy configurations where user roles are not strictly enforced. Shared hosting environments where multiple Rocket.Chat instances share the same server could also be vulnerable if one instance is compromised.
• nodejs / server:
# Check Rocket.Chat version
npm list -g rocket.chat• generic web:
# Check for endpoint exposure
curl -I https://<rocket.chat_domain>/api/v1/oauth-apps.get• generic web:
# Grep access logs for requests to /api/v1/oauth-apps.get
grep '/api/v1/oauth-apps.get' /var/log/nginx/access.logdisclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-23477 is to upgrade Rocket.Chat to version 6.12.0 or later, which contains the fix. If upgrading immediately is not possible, consider restricting access to the /api/v1/oauth-apps.get endpoint using role-based access control (RBAC) within Rocket.Chat. Implement a Web Application Firewall (WAF) rule to block requests to this endpoint from unauthorized users. Monitor Rocket.Chat logs for unusual API activity, particularly requests to the /api/v1/oauth-apps.get endpoint. After upgrading, confirm the fix by attempting to access the endpoint with a user account that should not have access; the request should be denied.
Aktualisieren Sie Rocket.Chat auf Version 6.12.0 oder höher. Dieses Update behebt die Schwachstelle, die unbefugten Zugriff auf OAuth App Details ermöglicht. Das Update kann über das Rocket.Chat Admin-Panel oder gemäß den von Rocket.Chat bereitgestellten Update-Anweisungen durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23477 is a high-severity vulnerability in Rocket.Chat versions up to 6.12.0 that allows authenticated users to retrieve sensitive OAuth application details like client IDs and secrets.
You are affected if you are running Rocket.Chat versions 6.12.0 or earlier. Check your version and upgrade immediately.
Upgrade Rocket.Chat to version 6.12.0 or later. As a temporary workaround, restrict access to the /api/v1/oauth-apps.get endpoint using RBAC.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the official Rocket.Chat security advisory for CVE-2026-23477 on the Rocket.Chat website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.