PatchSiren cyber security CVE debrief
CVE-2026-55666 RocketChat CVE debrief
CVE-2026-55666 is a critical vulnerability in Rocket.Chat's Apple OAuth flow. Prior to versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's loginHandler.ts file improperly handles Apple-issued JWTs during the OAuth flow. If a JWT does not contain an email address, the application accepts an arbitrary email value supplied directly in the request. This allows attackers to forge Apple JWTs without an email address and use them to carry out account takeover attacks. The vulnerability has a CVSS score of 9.3 and is considered critical. It was published on June 24, 2026, and modified on June 29, 2026.
- Vendor
- RocketChat
- Product
- Rocket.Chat
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-06-29
Who should care
Organizations using Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13 should be aware of this vulnerability. Specifically, administrators and security teams responsible for maintaining Rocket.Chat installations should take immediate action to upgrade to a patched version. Additionally, users who have accounts on Rocket.Chat instances that may be vulnerable should be cautious of potential account takeover attempts.
Technical summary
The vulnerability exists in the handleIdentityToken function within the loginHandler.ts file of Rocket.Chat's meteor app. During the OAuth flow with Apple, the function attempts to parse a JWT issued by Apple. If the JWT does not contain an email parameter, the application incorrectly falls back to accepting an arbitrary email value provided in the request. This oversight enables attackers to forge JWTs without an email address and use them to gain unauthorized access to user accounts. The vulnerability is characterized by its ability to bypass normal authentication mechanisms, allowing for account takeovers without valid credentials.
Defensive priority
This vulnerability should be prioritized for immediate remediation due to its critical severity and potential for exploitation. Attackers can easily forge Apple JWTs to carry out account takeover attacks, which can lead to unauthorized access to sensitive information and potential lateral movement within an organization.
Recommended defensive actions
- Upgrade Rocket.Chat to version 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13, or later.
- Implement additional monitoring and logging to detect potential account takeover attempts.
- Review and update authentication and authorization mechanisms to ensure they are properly configured and enforced.
- Consider implementing compensating controls, such as multi-factor authentication, to reduce the risk of account takeover attacks.
- Conduct a thorough review of Rocket.Chat instance configurations and user accounts to identify potential vulnerabilities.
Evidence notes
The CVE-2026-55666 vulnerability is based on information from official sources, including the CVE record and NVD detail pages. The vulnerability is confirmed to exist in Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. The CVSS score of 9.3 indicates a critical severity level. However, the exact scope of affected systems and potential impact on specific organizations is not fully detailed in the available information.
Official resources
-
CVE-2026-55666 CVE record
CVE.org
-
CVE-2026-55666 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.