CVE-2026-23477: OAuth Client Secrets Exposure Allows Unauthorized App Impersonation in Rocket.Chat

CVE ID: CVE-2026-23477
Affected Product: Rocket.Chat (prior to version 6.12.0)
Severity: High
CVSS v3.1 Score: 7.7 (High)
Impact: Disclosure of OAuth client secrets
Exploitability: Easy for authenticated users
Exploit Availability: No publicly released exploit code, but trivial to test if you have valid user credentials

What This Vulnerability Is About

Rocket.Chat is a popular team communication and collaboration platform. It supports OAuth integrations so you can link it with external identity providers or third-party apps.

In versions of Rocket.Chat before 6.12.0, there is a flaw in one of the internal API functions that lets any logged-in user retrieve details about configured OAuth applications — including the most sensitive information: the OAuth client secret.

A client secret is essentially a password for an application. With it, an attacker can impersonate that app to the identity provider or other services that trust the OAuth credentials. Think of it as handing over the keys to a service account.

This happens because the API that returns OAuth app configuration does not check whether the requestor has the right privileges. Any authenticated user can call it with an application identifier and the server will give back full details, trusting the caller incorrectly.

Who Is at Risk

Any organization using Rocket.Chat versions older than 6.12.0
Deployments where user accounts are public or easy to create
Teams with multiple OAuth clients configured
Installations exposed to the internet

Since you only need a valid user account to get the secret, automated attackers or low-privileged users are a real threat.

How an Attack Could Work

A realistic exploitation scenario goes like this:

An attacker obtains a normal user account on a target Rocket.Chat installation.
This could be a throwaway account created through an open registration page or stolen credentials.
The attacker discovers or guesses an OAuth application identifier configured in Rocket.Chat.
These IDs are often predictable or exposed through other API responses.
The attacker sends a simple authenticated HTTP request to the oauth-apps.get API endpoint with that ID.
The server responds with the OAuth application’s full details — including client_id and client_secret.
With the secret in hand, the attacker can query the identity provider (such as Google, Microsoft, GitHub, custom OAuth providers) to obtain tokens or generate new ones, effectively impersonating the legitimate application.

This means they might be able to access internal APIs, read data, issue actions, or move laterally in your environment depending on how OAuth is used.

Why This Is Serious

OAuth secrets are as powerful as user passwords for the application they belong to. If someone steals those credentials, they can:

Exchange the OAuth client secret for tokens without needing a valid user password
Access parts of your service or identity system that trust the OAuth client
Run automated attacks that reuse the stolen credentials
Blend in with normal traffic since tokens come from a legitimate integration

Because there is no need for administrative privileges to exploit this vulnerability, large deployments with many users are especially exposed.

How You Might Detect Attempts or Exploitation

There are several angles from which defenders can notice suspicious behavior related to this vulnerability:

1. API Access Patterns

Look for repeated or unusual calls to the Rocket.Chat API endpoint responsible for delivering OAuth application details. The endpoint name is:

GET /api/v1/oauth-apps.get?appId=<some-id>

If a regular user account suddenly makes this kind of request, especially multiple times with different IDs, that’s abnormal.

2. Abnormal Access from Non-Admin Users

Only administrators should ever need to view full OAuth client details. If someone with a user role other than admin is querying for OAuth app details, that’s a red flag.

You can log Rocket.Chat API calls including the user role, time, and request path. Alerts should be configured for:

API requests to oauth-apps.get from non-admin accounts
Successful requests returning a large JSON payload (often signifying secret data)
Multiple unique appId values requested in short order (possible enumeration)

3. JSON Response Content Detection

If your logging system ingests API responses, search for patterns like "client_secret": or "client_id": in the JSON payload from API requests. A legitimate client secret should never be returned to non-admin users.

4. Post-Disclosure OAuth Requests

After someone obtains an OAuth secret, they may immediately attempt to exchange it for tokens at the identity provider’s token endpoint.

Look for outbound HTTPS requests where the client_id and client_secret from your configured Rocket.Chat apps are being passed. This often appears shortly after suspicious API calls.

Example Detection Rules

Network Rule (Signature Detection)

This type of rule looks for network traffic with the weak API endpoint:

alert http any any -> any any (msg:"Possible OAuth secrets enumeration attempt"; http.method eq GET; http.uri contains "/api/v1/oauth-apps.get"; sid:1001001; rev:1;)

Tune for environments with legitimate admin activity.

SIEM Rule Example – Looking for Disclosures

Let’s say you have HTTP proxy logs ingested into your SIEM:

index=web_logs
uri_path="/api/v1/oauth-apps.get"
| stats count by user_role, user, status_code
| where user_role != "admin" AND status_code == 200

If any non-admin has a count > 0, investigate.

Content Inspection

If you capture API responses, you can detect secret exposure with a rule like:

http.response.body contains "client_secret"

This should be flagged for investigation immediately.

What to Do If You Find Evidence of Abuse

Rotate Affected OAuth Credentials
Treat these secrets like leaked passwords. Immediately change them at the identity provider and update the configuration in Rocket.Chat.
Audit Who Called the API
Identify client IPs and accounts that accessed the API. Check if they are legitimate administrators or unknown accounts.
Suspend or Reset Accounts
If the attacker was using a real account, consider locking it and forcing a password reset.
Review Access Patterns Post-Disclosure
Watch for token requests from unexpected IPs, times, or services.

How to Prevent or Mitigate Without Immediate Patch

If you cannot immediately upgrade to the fixed version, consider:

Restricting access to the Rocket.Chat API endpoint at your firewall or web application firewall so that only trusted admin networks can reach it
Removing all OAuth applications temporarily until patched
Restricting user registrations and enforcing stricter authentication to reduce the number of potential attackers

These are not replacements for a patch but can buy you time.

Official Patch / Upgrade

The only real fix is to update Rocket.Chat to a version that has the vulnerability patched. The patch was included in Rocket.Chat 6.12.0 and later.

👉 Patch / Upgrade Location:
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2

Final Takeaway

CVE-2026-23477 is a high-severity bug in Rocket.Chat that lets any logged-in user see OAuth client secrets by calling a poorly protected API. This lets attackers impersonate applications and potentially do anything that the OAuth app was trusted to do. It’s easy to exploit, hard to notice without good logging, and serious because it exposes secret credentials.

The detection relies on seeing who is calling the vulnerable endpoint, especially non-admin users, and watching for signs of secrets being used afterward. The only complete fix is to update Rocket.Chat to the patched version and then rotate all exposed OAuth credentials.