CVE-2026-55759

HIGH 7.4

Rocket.Chat: Apple Sign-In skips JWT claims validation, allowing expired and cross-audience token replay

CVSS Score

7.4

EPSS Score

0.0%

EPSS Percentile

0th

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted regardless of aud, exp, nbf, or nonce. An attacker who obtains a target user's Apple identity token (from server logs, an intercepted sign-in flow, or another application sharing the same Apple developer team) can replay it to authenticate as that user, with no expiration on the replay window. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

CWE	CWE-287 CWE-294
Vendor	rocketchat
Product	rocket.chat
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for rocketchat rocket.chat

Be the first to know when new high vulnerabilities affecting rocketchat rocket.chat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

RocketChat / Rocket.Chat

>= 8.5.0-rc.0, < 8.5.1 >= 8.4.0-rc.0, < 8.4.4 >= 8.3.0-rc.0, < 8.3.6 >= 8.2.0-rc.0, < 8.2.6 >= 8.1.0-rc.0, < 8.1.6 >= 7.11.0-rc.0, < 8.0.7 < 7.10.13

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-c75c-5hc7-j4vp