CVE-2026-55759 | Rocket.Chat is an open-source, secure, fully customizable co… | CVSS 7.4 HIGH

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted regardless of aud, exp, nbf, or nonce. An attacker who obtains a target user's Apple identity token (from server logs, an intercepted sign-in flow, or another application sharing the same Apple developer team) can replay it to authenticate as that user, with no expiration on the replay window. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

Metadata

CVE ID: CVE-2026-55759
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-17 14:34 UTC
Published: 2026-06-24 21:07 UTC
Last updated: 2026-06-24 21:07 UTC
Primary CWE: CWE-287
CWE-287: Improper Authentication
Vendor / Product: RocketChat / Rocket.Chat
Sources: cve.org · NVD

Severity & Metrics

7.4 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
RocketChat	Rocket.Chat	—	>= 8.5.0-rc.0, < 8.5.1, >= 8.4.0-rc.0, < 8.4.4, >= 8.3.0-rc.0, < 8.3.6, >= 8.2.0-rc.0, < 8.2.6 …

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287: Improper Authentication
CWE-294	cna	CWE-294: Authentication Bypass by Capture-replay

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.4	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References (1)

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-c75c-5hc7-j4vp https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-c75c-5hc7-j4vp