{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "8.5.0-rc.0"
              },
              {
                "fixed": "8.5.0"
              },
              {
                "introduced": "8.4.0-rc.0"
              },
              {
                "fixed": "8.4.1"
              },
              {
                "introduced": "8.3.0-rc.0"
              },
              {
                "fixed": "8.3.3"
              },
              {
                "introduced": "8.2.0-rc.0"
              },
              {
                "fixed": "8.2.3"
              },
              {
                "introduced": "8.1.0-rc.0"
              },
              {
                "fixed": "8.1.4"
              },
              {
                "introduced": "8.0.0-rc.0"
              },
              {
                "fixed": "8.0.5"
              },
              {
                "introduced": "7.11.0-rc.0"
              },
              {
                "fixed": "7.13.7"
              },
              {
                "introduced": "0"
              },
              {
                "fixed": "7.10.11"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "f3c2b8356043884f29c4d802668f3366a471c957"
            },
            {
              "fixed": "d0230e1ed86163b5cf9da57fda09fa86ea0b5c9f"
            },
            {
              "introduced": "c54eea7bf4c643534b78b65041a2fc78e4f122e0"
            },
            {
              "fixed": "a1b567bb36327c93bfaa8eba32c4bf94ecee2760"
            },
            {
              "introduced": "d7325cd940dd6908069999e4d168dea938ee2f52"
            },
            {
              "fixed": "84bb79f4aacf39dd3f909788e600c076368c3985"
            },
            {
              "introduced": "d97ea5ff436e863332d7fd1fa086ef9a9d75cd52"
            },
            {
              "fixed": "bb77a56b43c983bee6203ddb312a86c31f35e3e4"
            },
            {
              "introduced": "c04b2ca3d4dc586dc504794fa3048bb0c723f5b2"
            },
            {
              "fixed": "3c30743d812c50596694ea95bab5b84ebc7a5264"
            },
            {
              "introduced": "84481796011e0a74658b3e37ac96dd246da9466b"
            },
            {
              "fixed": "792cb12e4ebeb2566c593ecf5e6cc0d28a5d3f06"
            },
            {
              "introduced": "de7ffad1fa219af50d6bc7ef06021db30fcbf183"
            },
            {
              "fixed": "67947de0244ac3d35689efbf9c903dadf7f4ed14"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "85f0f2da5ff07643147d44697f16ce9685743520"
            }
          ],
          "repo": "https://github.com/rocketchat/rocket.chat",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-8p25-fm45-pjrw"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-943"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45689.json"
  },
  "details": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with MongoDB query operators to /oauth/token. The Rocket.Chat OAuth2 server does not validate that grant parameters are strings before forwarding them to findOne({...}) against the oauth_apps and oauth_access_tokens collections, so an attacker substitutes {\"$ne\": null} for client_id, client_secret, and refresh_token and receives a freshly minted {access_token, refresh_token} pair bound to whichever user's refresh token Mongo returned first. The resulting access token is a first-class bearer credential against the full /api/v1/* surface as that user. By iterating with $nin / $regex operators the attacker walks the entire oauth_access_tokens collection, collecting one fresh access token per user per request. If any matched token belongs to an admin, the stolen bearer gives full admin API access (including Apps-Engine app installation, i.e. server-side code execution). No account, credentials, userId, or prior interaction with the instance are required. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.",
  "id": "CVE-2026-45689",
  "modified": "2026-07-15T01:48:52.141877119Z",
  "published": "2026-06-24T20:57:32.281Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45689.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-8p25-fm45-pjrw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45689"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User ATO"
}