CVE-2026-49277
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth access token, and can also mint a fresh access token from an existing refresh token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-49277
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
rocket.chat rocket.chat to 8.5.0 (exc)
rocket.chat rocket.chat 8.5.0
rocket.chat rocket.chat 8.4.2
rocket.chat rocket.chat 8.3.4
rocket.chat rocket.chat 8.2.4
rocket.chat rocket.chat 8.1.5
rocket.chat rocket.chat 8.0.6
rocket.chat rocket.chat 7.13.8
rocket.chat rocket.chat 7.10.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. The issue is that when a user is deactivated, Rocket.Chat does not revoke their OAuth bearer or refresh tokens.

As a result, a deactivated user can still use an existing OAuth access token to access the system, and can also generate a new access token from an existing refresh token, effectively maintaining access despite deactivation.

This flaw is fixed in the versions listed above.

Impact Analysis

The vulnerability allows deactivated users to continue accessing Rocket.Chat services using valid OAuth tokens.

This means unauthorized access can persist even after a user is supposed to be removed or blocked, potentially leading to data exposure or misuse of the communication platform.

Mitigation Strategies

To mitigate this vulnerability, upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart