CVE Catalog

CVE-2026-49277

LowCVSS 2.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

Vulnerability in Rocket.Chat before versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 where OAuth bearer or refresh tokens are not revoked when a user is deactivated. A deactivated user can continue using an existing access token or mint a fresh token from a refresh token.

Risk Assessment

Risk involves deactivated users retaining unauthorized access to the system, potentially leading to data leakage, confidentiality breaches, or further attacks.

Recommendation

Immediately upgrade Rocket.Chat to one of the patched versions: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12. After upgrade, the system will automatically revoke OAuth tokens for deactivated users.

Original NVD description (English source)

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth access token, and can also mint a fresh access token from an existing refresh token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS