Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Published: 2026-06-24
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Rocket.Chat’s users.deactivateIdle function marks a user as inactive for idleness but does not revoke previously issued login tokens. As a result, a deactivated user can continue to call authenticated REST endpoints using the old token, effectively maintaining unauthorized access. The flaw allows any party that possesses a valid token of an idle‑deactivated account to perform actions on behalf of that user until the token expires or is otherwise invalidated.

Affected Systems

The vulnerability affects Rocket.Chat, specifically versions earlier than 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. These releases allow the deactivation process to leave existing authentication tokens valid.

Risk and Exploitability

With a CVSS score of 2.3, the technical severity is considered low. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known exploitation in the wild. Inferred from the description, the likely attack vector requires an attacker to possess a valid, inactive user’s token—obt token leakage, or a compromised account—after which they can execute authenticated API calls. The risk is limited to the lifespan of the token and the permissions granted to the account. Nonetheless this presents an opportunity for covert abuse of privileged operations while a user is marked inactive.

Generated by OpenCVE AI on June 24, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to at least version 8.5.0 (or the corresponding patched versions 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8, or 7.10.12 if still using older releases).
  • Immediately revoke all existing login tokens for any users that have been deactivated; use the token revocation endpoint or database operations to invalidate stale tokens.
  • Verify that after deactivation no authenticated requests succeed with the old token by performing audit tests against the REST API.

Generated by OpenCVE AI on June 24, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Title Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T21:02:14.090Z

Reserved: 2026-05-13T06:54:34.221Z

Link: CVE-2026-45757

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T23:15:03Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration