CVE-2026-49278
6.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Summary
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| RocketChat | Rocket.Chat | >= 8.5.0-rc.0, < 8.5.0 | affected |
| RocketChat | Rocket.Chat | >= 8.4.0-rc.0, < 8.4.2 | affected |
| RocketChat | Rocket.Chat | >= 8.3.0-rc.0, < 8.3.4 | affected |
| RocketChat | Rocket.Chat | >= 8.2.0-rc.0, < 8.2.4 | affected |
| RocketChat | Rocket.Chat | >= 8.1.0-rc.0, < 8.1.5 | affected |
| RocketChat | Rocket.Chat | >= 8.0.0-rc.0, < 8.0.6 | affected |
| RocketChat | Rocket.Chat | >= 7.11.0-rc.0, < 7.13.8 | affected |
| RocketChat | Rocket.Chat | < 7.10.12 | affected |
Weaknesses
- CWE-285: CWE-285: Improper Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.