CVE-2026-45757
2.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| RocketChat | Rocket.Chat | >= 8.5.0-rc.0, < 8.5.0 | affected |
| RocketChat | Rocket.Chat | >= 8.4.0-rc.0, < 8.4.2 | affected |
| RocketChat | Rocket.Chat | >= 8.3.0-rc.0, < 8.3.4 | affected |
| RocketChat | Rocket.Chat | >= 8.2.0-rc.0, < 8.2.4 | affected |
| RocketChat | Rocket.Chat | >= 8.1.0-rc.0, < 8.1.5 | affected |
| RocketChat | Rocket.Chat | >= 8.0.0-rc.0, < 8.0.6 | affected |
| RocketChat | Rocket.Chat | >= 7.11.0-rc.0, < 7.13.8 | affected |
| RocketChat | Rocket.Chat | < 7.10.12 | affected |
Weaknesses
- CWE-613: CWE-613: Insufficient Session Expiration
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.