CVE-2026-49277
Deferred Deferred - Pending Action

OAuth Token Persistence in Rocket.Chat

Vulnerability report for CVE-2026-49277, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth access token, and can also mint a fresh access token from an existing refresh token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 9 associated CPEs
Vendor Product Version / Range
rocket.chat rocket.chat to 8.5.0 (exc)
rocket.chat rocket.chat 8.5.0
rocket.chat rocket.chat 8.4.2
rocket.chat rocket.chat 8.3.4
rocket.chat rocket.chat 8.2.4
rocket.chat rocket.chat 8.1.5
rocket.chat rocket.chat 8.0.6
rocket.chat rocket.chat 7.13.8
rocket.chat rocket.chat 7.10.12

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows deactivated users to continue using existing OAuth access tokens and mint new access tokens from refresh tokens, which means that access control is not properly enforced upon user deactivation.

Such a flaw can lead to unauthorized access to sensitive data or systems, potentially violating data protection requirements in standards and regulations like GDPR and HIPAA that mandate strict access controls and timely revocation of user privileges.

Therefore, this vulnerability could negatively impact compliance with these regulations by failing to ensure that deactivated users lose access promptly.

Executive Summary

This vulnerability affects Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. The issue is that when a user is deactivated, Rocket.Chat does not revoke their OAuth bearer or refresh tokens.

As a result, a deactivated user can still use an existing OAuth access token to access the system, and can also generate a new access token from an existing refresh token, effectively maintaining access despite deactivation.

This flaw is fixed in the versions listed above.

Impact Analysis

The vulnerability allows deactivated users to continue accessing Rocket.Chat services using valid OAuth tokens.

This means unauthorized access can persist even after a user is supposed to be removed or blocked, potentially leading to data exposure or misuse of the communication platform.

Mitigation Strategies

To mitigate this vulnerability, upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12.

Detection Guidance

This vulnerability involves OAuth bearer and refresh tokens remaining valid after a user account is deactivated in affected Rocket.Chat versions. Detection would involve monitoring OAuth token usage and verifying whether tokens associated with deactivated users are still accepted by the system.

Since the vulnerability allows continued API access via OAuth tokens after user deactivation, you can detect it by checking for active OAuth tokens linked to deactivated accounts.

Suggested commands or approaches include:

  • Query the Rocket.Chat database or API to list users marked as deactivated.
  • Check OAuth token storage or logs to identify tokens issued to those deactivated users.
  • Use API calls or database queries to verify if OAuth tokens for deactivated users are still accepted.
  • Monitor API access logs for activity from deactivated user accounts.

Specific commands depend on your Rocket.Chat deployment and logging setup. For example, if you have database access, you might run queries to find tokens linked to deactivated users. If you have API access, you might attempt to use OAuth tokens from deactivated users to test if access is still granted.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart