Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

Severity (CVSS)

Base score2.3
SeverityLow
VersionCVSS 4.0
VectorCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Provided byCNA

Weaknesses

  • CWE-613 — CWE-613: Insufficient Session Expiration

Affected products

VendorProductVersions
RocketChatRocket.Chat>= 8.5.0-rc.0, < 8.5.0; >= 8.4.0-rc.0, < 8.4.2; >= 8.3.0-rc.0, < 8.3.4; >= 8.2.0-rc.0, < 8.2.4; >= 8.1.0-rc.0, < 8.1.5; >= 8.0.0-rc.0, < 8.0.6; >= 7.11.0-rc.0, < 7.13.8; < 7.10.12

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 25 Jun 2026 10:14 UTC.