CVE-2026-49277
LowCVSS 2.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
Vulnerability in Rocket.Chat before versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 where OAuth bearer or refresh tokens are not revoked when a user is deactivated. A deactivated user can continue using an existing access token or mint a fresh token from a refresh token.
Risk Assessment
Risk involves deactivated users retaining unauthorized access to the system, potentially leading to data leakage, confidentiality breaches, or further attacks.
Recommendation
Immediately upgrade Rocket.Chat to one of the patched versions: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12. After upgrade, the system will automatically revoke OAuth tokens for deactivated users.
Original NVD description (English source)
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth access token, and can also mint a fresh access token from an existing refresh token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

