CVE-2026-45757
LowCVSS 2.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
Rocket.Chat prior to versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 allowed users deactivated through users.deactivateIdle to continue using already-issued login tokens. A user marked inactive by an administrator could still access authenticated REST endpoints with the old token.
Risk Assessment
The risk is that deactivated users can still access the system, potentially leading to unauthorized access to data and functions. This poses a security threat to the organization.
Recommendation
It is recommended to upgrade to versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12 to mitigate this vulnerability. An audit of active login tokens should also be conducted.
Original NVD description (English source)
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

