CVE-2026-23477
Published: 14 January 2026
Summary
CVE-2026-23477 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Rocket.Chat Rocket.Chat. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on API endpoints like /api/v1/oauth-apps.get to prevent any authenticated user from accessing sensitive OAuth client_id and client_secret.
Applies least privilege to restrict low-privileged authenticated users from retrieving sensitive OAuth application details regardless of known IDs.
Monitors for unauthorized disclosures of sensitive information such as OAuth client_secret via exposed API endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of a vulnerable public-facing API endpoint in Rocket.Chat to access sensitive OAuth credentials.
NVD Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long…
more
as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0.
Deeper analysisAI
CVE-2026-23477 is an improper access control vulnerability (CWE-269, CWE-862) in Rocket.Chat, an open-source communications platform, affecting versions up to 6.12.0. The issue stems from the API endpoint GET /api/v1/oauth-apps.get being exposed to any authenticated user, irrespective of their role or permissions. If an attacker knows the ID of an OAuth application, this endpoint returns its details, including sensitive fields like client_id and client_secret. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with changed scope.
Any authenticated user with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By crafting a simple GET request to the endpoint using a known OAuth application ID, the attacker retrieves the application's client_id and client_secret. These credentials could then be abused to impersonate the application in OAuth flows, potentially granting unauthorized access to integrated third-party services or resources configured via OAuth in the Rocket.Chat instance.
Rocket.Chat addressed this vulnerability in version 6.12.0. Security practitioners should upgrade to this patched release immediately. Additional mitigation guidance and technical details are available in the vendor advisory at https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2.
Details
- CWE(s)