CVE-2026-23477

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 6.12.0

Description Rocket.Chat is a communications platform. Versions up to 6.12.0 have an issue where the API endpoint '/api/v1/oauth-apps.get' is accessible to any authenticated user, irrespective of their role or permissions. This allows retrieval of OAuth application details, including potentially sensitive information like client id and client secret, if the user knows the application ID.

Recommendations Update to version 6.12.0 or later.

Exploit

Fix

Missing Authorization

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-269

Related Identifiers

CVE-2026-23477

GHSA-G4WM-FG3C-G4P2

Affected Products

Rocket.Chat

CVE-2026-23477

Weakness Enumeration

Related Identifiers

Affected Products

References · 5