CVE-2026-45757
Deferred Deferred - Pending Action

Session Fixation in Rocket.Chat

Vulnerability report for CVE-2026-45757, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rocket_chat rocket_chat to 8.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. It allows users who have been deactivated due to idleness through the users.deactivateIdle feature to continue using their previously issued login tokens. Essentially, even after an administrator marks a user as inactive for being idle, that user can still access authenticated REST endpoints using their old token.

Impact Analysis

The impact of this vulnerability is that deactivated users can still access the system with their old login tokens, potentially allowing unauthorized access to authenticated REST endpoints. This could lead to unauthorized actions or data exposure by users who should no longer have access.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12.

Compliance Impact

This vulnerability allows deactivated users to continue accessing authenticated REST endpoints using previously issued login tokens, which means that user access is not properly revoked upon deactivation.

Such unauthorized continued access could potentially lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict control over user access and timely revocation of credentials to protect personal and sensitive data.

However, the provided information does not explicitly state the impact on compliance with these standards.

Detection Guidance

This vulnerability involves deactivated users retaining access via already-issued login tokens, allowing continued access to authenticated REST endpoints.

To detect this on your system, you can monitor API access logs for requests authenticated with tokens belonging to users marked as inactive or idle.

Specifically, you can query your Rocket.Chat user database or API to identify users flagged as inactive through users.deactivateIdle and then cross-reference active API tokens associated with those users.

  • Check for users marked inactive but still having valid login tokens.
  • Inspect API access logs for token usage by inactive users.

Example commands might include querying the Rocket.Chat database or API for inactive users and their tokens, such as:

  • Using MongoDB shell to find inactive users: db.users.find({active: false})
  • Checking tokens associated with these users if stored in the database.

Additionally, monitoring HTTP access logs for REST API calls authenticated with tokens from inactive users can help detect exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart