Security Advisory - Published 2026-06-25 - Rocket.Chat
Rocket.Chat NoSQL auth batch: check SSO, OAuth, uploads, and apps
This Rocket.Chat batch affects authentication and file-record handling before the fixed 8.x and 7.x branches. Upgrade first, then review SSO login events, OAuth tokens, upload records, Apps-Engine installs, and administrator sessions.
Affected Rocket.Chat issues
| CVE | Upgrade | Review | CVSS |
|---|---|---|---|
| CVE-2026-45688 | fixed branch | SSO | 9.1 |
| CVE-2026-45689 | fixed branch | OAuth | 9.1 |
| CVE-2026-45687 | fixed branch | uploads | 8.5 |
Owner self-check
docker ps | grep -i rocketchat
grep -Rni 'Rocket.Chat\\|MONGO_URL\\|ROOT_URL\\|Accounts_OAuth\\|CAS\\|SAML' docker-compose.yml .env 2>/dev/null
docker logs --since 7d $(docker ps -q --filter name=rocketchat) 2>/dev/null | egrep -i 'cas|saml|oauth|token|upload|Apps-Engine|admin|error'
grep -Rni 'login\\|oauth\\|credential\\|upload\\|apps-engine\\|admin' logs data 2>/dev/null | tail -220What to review
- Rocket.Chat version against the fixed 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11 branches.
- CAS, SAML, and OAuth login events around the exposure window.
- New or refreshed access tokens, unusual sessions, and administrator API activity.
- File uploads, changed upload metadata, storage paths, Apps-Engine installs, and app permission changes.
Safe fix path
- Upgrade Rocket.Chat to the fixed branch that matches your deployment line.
- Temporarily restrict SSO/OAuth flows if suspicious login activity is present.
- Rotate OAuth client secrets, SSO integration credentials, and admin sessions if tokens or app installs look abnormal.
- Preserve Rocket.Chat and MongoDB logs before pruning sessions or tokens.
Repair help
Use Ping7 CVE Repair when Rocket.Chat has unknown OAuth tokens, suspicious SSO logins, unexpected app installs, or upload records that need incident review.