Home

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-24 | Updated 2026-06-25 | Assigner GitHub_M




LOW: 2.3CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-613: Insufficient Session Expiration

Product status

>= 8.5.0-rc.0, < 8.5.0
affected

>= 8.4.0-rc.0, < 8.4.2
affected

>= 8.3.0-rc.0, < 8.3.4
affected

>= 8.2.0-rc.0, < 8.2.4
affected

>= 8.1.0-rc.0, < 8.1.5
affected

>= 8.0.0-rc.0, < 8.0.6
affected

>= 7.11.0-rc.0, < 7.13.8
affected

< 7.10.12
affected

References

github.com/...t.Chat/security/advisories/GHSA-6g3w-vg5p-w892 exploit

github.com/...t.Chat/security/advisories/GHSA-6g3w-vg5p-w892

cve.org (CVE-2026-45757)

nvd.nist.gov (CVE-2026-45757)

Download JSON