CVE-2026-23477

High CVSS: 7.7

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0.

Vendor

Rocket.chat

Product

Rocket.chat

CWE

CWE-269

Yayın Tarihi

2026-01-14 19:16:47

Güncelleme

2026-01-26 18:03:24

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-269 Rocket.chat HIGH Rocket.chat 2026

Referanslar

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2

Benzer Kayıtlar

Medium

CVE-2026-30833

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.1…

High

CVE-2026-30831

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.1…

Critical

CVE-2026-28514

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.…

High

CVE-2025-7974

rocket.chat Incorrect Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to…

Medium

CVE-2025-5892

A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the f…