CVE-2026-23477 | THREATINT

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0.

PUBLISHED Reserved 2026-01-13 | Published 2026-01-14 | Updated 2026-01-14 | Assigner GitHub_M

HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-269: Improper Privilege Management

CWE-862: Missing Authorization

Product status

< 6.12.0

affected

References

github.com/...t.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2

cve.org (CVE-2026-23477)

nvd.nist.gov (CVE-2026-23477)

Download JSON