Impact
The Rocket.Chat API endpoint that returns visitor information unintentionally includes the visitor's bearer token in the JSON payload for versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. There is no legitimate use case for exposing the token, so the practice is substandard and should be removed. Because the token can be captured from the response, an attacker can impersonate the visitor and bypass authentication controls, gaining full interaction capabilities under that user's identity. This is an improper authentication flaw, classified as CWE-285, and could undermine the confidentiality and integrity of user sessions.
Affected Systems
The affected product is Rocket.Chat, an open‑source communications platform. Any installation running a Rocket.Chat version older than the fixed releases—v8.5.0, v8.4.2, v8.3.4, v8.2.4, v8.1.5, v8.0.6, 7.13.8, or v7.10.12—may issue the visitors.info endpoint with the bearer token in its response. These older versions span the 8.x and 7.x series released before the corresponding security updates.
Risk and Exploitability
The CVSS v3.1 score of 6.7 indicates medium severity, and the vulnerability is not listed in KEV, implying no confirmed public exploitation yet. EPSS is not available, so the public exploitation likelihood is currently unknown. Based on the description, the likely attack vector is inferred to be network‑based authentication to the Rocket.Chat API or possession of a valid visitor session that allows querying visitor data; such a session can retrieve the token from the endpoint. Once in possession of the token, the attacker can effectively impersonate the visitor and perform any actions permitted to that user, including sensitive messaging or administrative tasks if the visitor holds privileges.
OpenCVE Enrichment