Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Severity (CVSS)
| Base score | 2.3 |
|---|---|
| Severity | Low |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-613 — CWE-613: Insufficient Session Expiration
Affected products
| Vendor | Product | Versions |
|---|---|---|
| RocketChat | Rocket.Chat | >= 8.5.0-rc.0, < 8.5.0; >= 8.4.0-rc.0, < 8.4.2; >= 8.3.0-rc.0, < 8.3.4; >= 8.2.0-rc.0, < 8.2.4; >= 8.1.0-rc.0, < 8.1.5; >= 8.0.0-rc.0, < 8.0.6; >= 7.11.0-rc.0, < 7.13.8; < 7.10.12 |
References
- https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892 (x_refsource_CONFIRM)
Generated from the official CVE List on 25 Jun 2026 10:14 UTC.