CVE-2026-45757
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-45757
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocket_chat rocket_chat to 8.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. It allows users who have been deactivated due to idleness through the users.deactivateIdle feature to continue using their previously issued login tokens. Essentially, even after an administrator marks a user as inactive for being idle, that user can still access authenticated REST endpoints using their old token.

Impact Analysis

The impact of this vulnerability is that deactivated users can still access the system with their old login tokens, potentially allowing unauthorized access to authenticated REST endpoints. This could lead to unauthorized actions or data exposure by users who should no longer have access.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart