Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Published: 2026-06-24
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Rocket.Chat API endpoint that returns visitor information unintentionally includes the visitor's bearer token in the JSON payload for versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. There is no legitimate use case for exposing the token, so the practice is substandard and should be removed. Because the token can be captured from the response, an attacker can impersonate the visitor and bypass authentication controls, gaining full interaction capabilities under that user's identity. This is an improper authentication flaw, classified as CWE-285, and could undermine the confidentiality and integrity of user sessions.

Affected Systems

The affected product is Rocket.Chat, an open‑source communications platform. Any installation running a Rocket.Chat version older than the fixed releases—v8.5.0, v8.4.2, v8.3.4, v8.2.4, v8.1.5, v8.0.6, 7.13.8, or v7.10.12—may issue the visitors.info endpoint with the bearer token in its response. These older versions span the 8.x and 7.x series released before the corresponding security updates.

Risk and Exploitability

The CVSS v3.1 score of 6.7 indicates medium severity, and the vulnerability is not listed in KEV, implying no confirmed public exploitation yet. EPSS is not available, so the public exploitation likelihood is currently unknown. Based on the description, the likely attack vector is inferred to be network‑based authentication to the Rocket.Chat API or possession of a valid visitor session that allows querying visitor data; such a session can retrieve the token from the endpoint. Once in possession of the token, the attacker can effectively impersonate the visitor and perform any actions permitted to that user, including sensitive messaging or administrative tasks if the visitor holds privileges.

Generated by OpenCVE AI on June 25, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to version 8.5.04.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12 or later to remove the exposed bearer token from the visitors.info response.
  • If an immediate upgrade is not feasible, revoke or rotate all active visitor bearer tokens and restrict access to the visitors.info endpoint via role‑based access control, limiting it to administrators only.
  • Deploy a web application firewall rule that inspects visitors.info responses for bearer tokens and blocks any traffic containing them.

Generated by OpenCVE AI on June 25, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Rocketchat
Rocketchat rocket.chat
Vendors & Products Rocketchat
Rocketchat rocket.chat

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Title Rocket.Chat: Livechat Visitor Profile Disclosure Leaks Bearer Token and Enables Visitor Impersonation
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L'}


Subscriptions

Rocketchat Rocket.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:55:30.759Z

Reserved: 2026-05-28T20:07:58.861Z

Link: CVE-2026-49278

cve-icon Vulnrichment

Updated: 2026-06-25T23:07:58.169Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:30:04Z

Weaknesses