CVE-2026-55762
Deferred Deferred - Pending Action

Authentication Bypass in Rocket.Chat Workspace Deregistration

Vulnerability report for CVE-2026-55762, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any authenticated user β€” including a standard user role account β€” can call this endpoint with {"setDeploymentAs": "new-workspace"} to permanently deregister the workspace from Rocket.Chat Cloud. This wipes all cloud credentials, removes the workspace license, breaks push notifications for all users, and requires manual re-registration to recover. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rocket_chat rocket_chat to 8.5.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking if the Rocket.Chat instance is running a vulnerable version prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13. Additionally, you can test if the /api/v1/fingerprint endpoint allows authenticated users to send a POST request with the payload {"setDeploymentAs": "new-workspace"} without proper authorization.

A suggested command to test this on your system or network is to use curl to send the POST request as an authenticated user:

  • curl -X POST https://your-rocket-chat-instance/api/v1/fingerprint -H "Content-Type: application/json" -H "X-Auth-Token: <user-auth-token>" -H "X-User-Id: <user-id>" -d '{"setDeploymentAs": "new-workspace"}'

If the request succeeds and the workspace is deregistered or the response indicates success without proper authorization checks, the system is vulnerable.

Executive Summary

This vulnerability exists in Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. The POST /api/v1/fingerprint REST endpoint requires authentication but does not perform any authorization checks. This means that any authenticated user, even those with standard user roles, can call this endpoint with the parameter {"setDeploymentAs": "new-workspace"} to permanently deregister the workspace from Rocket.Chat Cloud.

As a result, this action wipes all cloud credentials, removes the workspace license, disables push notifications for all users, and forces a manual re-registration process to recover the workspace.

Impact Analysis

The impact of this vulnerability is significant for any organization using affected versions of Rocket.Chat. An authenticated user with standard privileges can disrupt the entire workspace by deregistering it from Rocket.Chat Cloud.

  • All cloud credentials associated with the workspace will be wiped.
  • The workspace license will be removed.
  • Push notifications for all users will stop working.
  • Manual re-registration of the workspace will be required to restore normal operations.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rocket.Chat to one of the fixed versions: 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13.

Until the upgrade is applied, restrict authenticated user access to the POST /api/v1/fingerprint REST endpoint to prevent unauthorized deregistration of the workspace.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart