CVE-2026-45757

Summary

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

Affected Software

VendorProductVersion RangeStatus
RocketChatRocket.Chat>= 8.5.0-rc.0, < 8.5.0affected
RocketChatRocket.Chat>= 8.4.0-rc.0, < 8.4.2affected
RocketChatRocket.Chat>= 8.3.0-rc.0, < 8.3.4affected
RocketChatRocket.Chat>= 8.2.0-rc.0, < 8.2.4affected
RocketChatRocket.Chat>= 8.1.0-rc.0, < 8.1.5affected
RocketChatRocket.Chat>= 8.0.0-rc.0, < 8.0.6affected
RocketChatRocket.Chat>= 7.11.0-rc.0, < 7.13.8affected
RocketChatRocket.Chat< 7.10.12affected

Weaknesses

  • CWE-613: CWE-613: Insufficient Session Expiration

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References