CVE-2026-55762
Received Received - Intake
Authentication Bypass in Rocket.Chat Workspace Deregistration

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any authenticated user β€” including a standard user role account β€” can call this endpoint with {"setDeploymentAs": "new-workspace"} to permanently deregister the workspace from Rocket.Chat Cloud. This wipes all cloud credentials, removes the workspace license, breaks push notifications for all users, and requires manual re-registration to recover. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55762
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocket_chat rocket_chat to 8.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. The POST /api/v1/fingerprint REST endpoint requires authentication but does not perform any authorization checks. This means that any authenticated user, even those with standard user roles, can call this endpoint with the parameter {"setDeploymentAs": "new-workspace"} to permanently deregister the workspace from Rocket.Chat Cloud.

As a result, this action wipes all cloud credentials, removes the workspace license, disables push notifications for all users, and forces a manual re-registration process to recover the workspace.

Impact Analysis

The impact of this vulnerability is significant for any organization using affected versions of Rocket.Chat. An authenticated user with standard privileges can disrupt the entire workspace by deregistering it from Rocket.Chat Cloud.

  • All cloud credentials associated with the workspace will be wiped.
  • The workspace license will be removed.
  • Push notifications for all users will stop working.
  • Manual re-registration of the workspace will be required to restore normal operations.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rocket.Chat to one of the fixed versions: 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13.

Until the upgrade is applied, restrict authenticated user access to the POST /api/v1/fingerprint REST endpoint to prevent unauthorized deregistration of the workspace.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart