CVE-2026-45757

Vulnerability Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

Vulnerability Details

Published Date

June 24, 2026

Last Modified

June 24, 2026

CWE ID

CWE-613

Source

NVD

Vendor

RocketChat

Product

Rocket.Chat

External References

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment