top of page
perceptive_background_267k.jpg

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps…

Published:

13 January 2026 at 23:00:00

Alert date:

14 January 2026 at 20:01:57

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Identity & Access, Email & Messaging

Rocket.Chat versions up to 6.12.0 contain a vulnerability where the OAuth apps API endpoint is exposed to any authenticated user regardless of permissions. The GET /api/v1/oauth-apps.get endpoint returns OAuth application details including sensitive client_id and client_secret fields when users know the application ID. This represents an authorization bypass that could lead to OAuth credential exposure. The vulnerability is fixed in version 6.12.0.

Technical details

Mitigation steps:

Affected products:

Rocket.Chat

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-23477
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page