Platform
nodejs
Component
rocket.chat
Fixed in
6.12.1
CVE-2026-23477 is a high-severity vulnerability affecting Rocket.Chat versions up to 6.12.0. This flaw allows authenticated users to access sensitive OAuth application details, including client IDs and secrets, by exploiting the exposed /api/v1/oauth-apps.get endpoint. The vulnerability is resolved in version 6.12.0, and users are strongly advised to upgrade.
The primary impact of CVE-2026-23477 is the exposure of OAuth application credentials. An attacker who can authenticate to Rocket.Chat, even with limited permissions, can retrieve these credentials. This allows them to impersonate the OAuth application, potentially gaining unauthorized access to connected services or data. The client secret, in particular, is a critical piece of information that allows an attacker to authenticate as the application. Successful exploitation could lead to data breaches, account takeover, and further compromise of systems integrated with the Rocket.Chat OAuth application. This vulnerability shares similarities with other credential leakage issues where exposed secrets can be leveraged for broader attacks.
CVE-2026-23477 was publicly disclosed on 2026-01-14. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, but the vulnerability's simplicity suggests it could be easily exploited. The relatively low barrier to entry (requiring only authentication) increases the likelihood of exploitation if the vulnerability remains unpatched.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23477 is to upgrade Rocket.Chat to version 6.12.0 or later, which contains the fix. If upgrading immediately is not possible, consider restricting access to the /api/v1/oauth-apps.get endpoint using role-based access control (RBAC) within Rocket.Chat to limit which users can access it. Review existing OAuth applications and rotate client secrets if you suspect they may have been compromised. Monitor Rocket.Chat logs for unusual activity related to the OAuth API endpoint. After upgrading, confirm the fix by attempting to access the /api/v1/oauth-apps.get endpoint with a user account that previously had access; it should now be denied.
Update Rocket.Chat to version 6.12.0 or higher. This update fixes the vulnerability that allows unauthorized access to OAuth app details. The update can be performed through the Rocket.Chat admin panel or by following the upgrade instructions provided by Rocket.Chat.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23477 is a high-severity vulnerability in Rocket.Chat versions up to 6.12.0 that allows authenticated users to retrieve sensitive OAuth application details like client IDs and secrets.
You are affected if you are running Rocket.Chat versions 6.12.0 or earlier. Check your version and upgrade immediately.
Upgrade Rocket.Chat to version 6.12.0 or later. As a temporary workaround, restrict access to the /api/v1/oauth-apps.get endpoint using RBAC.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the official Rocket.Chat security advisory for CVE-2026-23477 on the Rocket.Chat website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.