Three Unauthenticated Takeover Flaws in Team Chat Rocket.Chat (CVE-2026-45688 and More) — Update Now
Rocket.Chat, a team chat platform used by governments and enterprises, has three flaws that can let an attacker take over another account without authentication. The most serious, CVE-2026-45688 and CVE-2026-45689, are CVSS 9.1. By injecting database symbols into the login endpoint, an attacker bypasses identity checks and can steal access and escalate to admin. Update to the latest release of your line.
Makoto Horikawa
Backend Engineer / AWS / Django
Rocket.Chat, a team chat platform used by governments and enterprises, has three flaws that can let an attacker take over another account without authentication. The most serious, CVE-2026-45688 and CVE-2026-45689, are CVSS 9.1. By injecting database symbols into the login endpoint, an attacker bypasses identity checks and can steal access and escalate to admin. Update to the latest release of your line.
Rocket.Chat, a team chat platform used by governments and enterprises worldwide, has been found to contain three vulnerabilities (software flaws) that can let an attacker take over another person's account without any identity check (authentication). The most serious, CVE-2026-45688 and CVE-2026-45689, both score 9.1 out of 10 (Critical).
All three were reported by GitHub and disclosed on June 24, 2026. The fixes are included in the latest releases of each line, such as 8.5.0 / 8.4.1 / 8.3.3 / 8.2.3 / 8.1.4 / 8.0.5 / 7.13.7 / 7.10.11. By slipping special database symbols into the login mechanism, an attacker can bypass authentication, steal another user's access, and potentially escalate to administrator, so if you self-host Rocket.Chat you need to update now.
What kind of service is Rocket.Chat?
Rocket.Chat is a communication platform that handles team chat, calls, and video meetings in one, like Slack. Its biggest distinction is that you can run it on your own server or even in a closed, disconnected (air-gapped) environment, keeping data under your own control. It is published as open source, and according to its official site, it is widely adopted by security-conscious organizations such as the U.S. military (Army, Air Force), EU institutions, defense contractors, and healthcare organizations.
Because it is a place where confidential exchanges concentrate, a takeover has a grave impact. Two of the three flaws this time can be abused by an outside third party who is not logged in, and they share a technique called "NoSQL injection"—mixing illicit symbols into the internal database queries.
Who targets it, what they do, and what happens
For the two most dangerous flaws, the targets are organizations running Rocket.Chat exposed on the network. The attack requires no login, and any third party in a position to reach the server with a request can carry it out. Environments that keep external login federation (single sign-on) or app-integration endpoints open are especially in scope.
What an attacker does is mix symbols the database interprets specially (MongoDB operators) into the login endpoint, slip past the proper identity check, and obtain another user's access (a token). With the stolen access, they can impersonate that user to read and write chats, and if the target is an administrator, they can seize admin rights too.
A takeover leads to eavesdropping on confidential exchanges, fake instructions through impersonation, tampering with files and conversations, and expanded intrusion across the organization. Because Rocket.Chat is often used in sensitive settings such as government, defense, and healthcare, the damage may not stop at one organization's data leak. Vulnerabilities that begin to be used in attacks can be tracked in our CISA KEV Dashboard (Japanese edition).
What the three vulnerabilities are
The two more severe ones are both NoSQL injection, where database symbols are mixed into the login endpoint. The remaining one lets a logged-in user illicitly rewrite their own record.
CVE-2026-45688: slipping past CAS login authentication to take over (CVSS 9.1)
According to the published information, in the part that handles "CAS," one of the external login federation methods, an attacker could inject MongoDB (the database Rocket.Chat uses) operators into the authentication value (credentialToken). This completely bypasses the proper ticket check, steals access, and can lead to escalation to administrator (GHSA-rr54-jf4h-6cj9). That it works without a login is what makes it serious.
CVE-2026-45689: stealing any user's access from the token-issuing endpoint (CVSS 9.1)
In this flaw, validation of the values passed to the access-issuing endpoint (/oauth/token) was weak, and here too, by injecting MongoDB operators, an unauthenticated attacker could obtain the legitimate access (OAuth token) of an arbitrary user. With the stolen token, they can impersonate the target and reach administrator-level operations.
CVE-2026-45687: illicitly rewriting one's own record in file-send processing (CVSS 8.5)
This flaw is that the internal processing that handles file sending (sendFileMessage) took the attacker-supplied file object into a database update without field restrictions. A logged-in user can rewrite any field of their own upload record, and by tampering with information such as the storage location and path, can undermine file organization and access control.
A quick reference of attack preconditions
The three differ in "whether a login is needed." All are fixed in the latest release of each line.
| CVE | Severity | Login | What can happen |
|---|---|---|---|
| 45688 | 9.1 | Not needed | Auth bypass → takeover, admin escalation |
| 45689 | 9.1 | Not needed | Steal any user's access token |
| 45687 | 8.5 | Needed | Tamper with one's own upload record |
The top priority is the two unauthenticated flaws (45688 / 45689). Servers exposed to the internet, and environments using external login federation, should act especially urgently.
What to do now
The top priority is to update Rocket.Chat to the fixed release of your line (8.5.0 / 8.4.1 / 8.3.3 / 8.2.3 / 8.1.4 / 8.0.5 / 7.13.7 / 7.10.11 or later). Move up to the fixed version matching the version line you use. Check the latest on the official releases. If you use the cloud edition (Rocket.Chat Cloud), the provider updates it.
If you cannot update immediately, useful mitigations are to limit external connections to a trusted range and temporarily disable unused login federation (such as CAS) and app-integration endpoints. Also inspect logs for any added administrator accounts, suspicious logins, or unfamiliar access being issued. If a takeover is suspected, revoke issued access (tokens) and prompt users to change passwords.
Summary
Of the three flaws found in Rocket.Chat, the most important are CVE-2026-45688 and CVE-2026-45689 (both CVSS 9.1), which steal another user's access without a login—both NoSQL injection that mixes database symbols into the login endpoint. The remaining one is record tampering by a logged-in user. They are fixed in the latest release of each line.
Rocket.Chat is often used in sensitive settings such as government, defense, and healthcare, so a takeover's impact does not stop at one organization. If you self-host it, first check your version and, if it is old, update now. If new vulnerabilities concerning Rocket.Chat emerge, we will track them by adding to this article.
References
- ▸NVD - CVE-2026-45688 (CAS login authentication bypass)
- ▸NVD - CVE-2026-45689 (theft from the token-issuing endpoint)
- ▸NVD - CVE-2026-45687 (record tampering in file-send processing)
- ▸GitHub Security Advisory - GHSA-rr54-jf4h-6cj9 (CVE-2026-45688)
- ▸Rocket.Chat Security Advisories (GitHub, reporter)
- ▸GitHub - Rocket.Chat releases (fixed versions per line)
- ▸Rocket.Chat official site (product overview, adopters)