Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Published: 2026-06-24
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Rocket.Chat’s users.deactivateIdle function marks a user as inactive for idleness but does not revoke previously issued login tokens. Users deactivated through this method can continue to call authenticated REST endpoints using the old token, allowing unauthorized access until the token expires or is manually invalidated. The vulnerability exists in all versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, and permits any party possessing a valid token to perform actions on behalf of that idle‑deactivated account.

Affected Systems

The vulnerability affects Rocket.Chat, specifically versions earlier than 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. These releases allow the deactivation process to leave existing authentication tokens valid.

Risk and Exploitability

With a CVSS score of 2.3, the technical severity is considered low. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known exploitation in the wild. Inferred from the description, the likely attack vector requires an attacker to possess a valid, inactive user’s token—obtained through token leakage or a compromised account—after which they can execute authenticated API calls. The risk is limited to the lifespan of the token and the permissions granted to the account. Nonetheless this presents an opportunity for covert abuse of privileged operations while a user is marked inactive.

Generated by OpenCVE AI on June 25, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to at least version 8.5.0 (or the corresponding patched versions 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8, or 7.10.12 if still using older releases).
  • Immediately revoke all existing login tokens for any users that have been deactivated; use the token revocation endpoint or database operations to invalidate stale tokens.
  • Verify that after deactivation no authenticated requests succeed with the old token by performing audit tests against the REST API.

Generated by OpenCVE AI on June 25, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Rocketchat
Rocketchat rocket.chat
Vendors & Products Rocketchat
Rocketchat rocket.chat

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Title Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Rocketchat Rocket.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:32:31.225Z

Reserved: 2026-05-13T06:54:34.221Z

Link: CVE-2026-45757

cve-icon Vulnrichment

Updated: 2026-06-25T15:31:51.734Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:30:04Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration