CRITICAL
RocketChat
CVE published 2026-06-24
CVE-2026-55666
CVE-2026-55666 is a critical vulnerability in Rocket.Chat's Apple OAuth flow. Prior to versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's loginHandler.ts file improperly handles Apple-issued JWTs during the OAuth flow. If a JWT does not contain an email address, the application accepts an arbitrary email value supplied directly in the request. This allows attackers to forge Appl [truncated]