2.3

CVE-2026-45757

Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRocketChat
Produkt Rocket.Chat
Version >= 8.5.0-rc.0, < 8.5.0
Status affected
Version >= 8.4.0-rc.0, < 8.4.2
Status affected
Version >= 8.3.0-rc.0, < 8.3.4
Status affected
Version >= 8.2.0-rc.0, < 8.2.4
Status affected
Version >= 8.1.0-rc.0, < 8.1.5
Status affected
Version >= 8.0.0-rc.0, < 8.0.6
Status affected
Version >= 7.11.0-rc.0, < 7.13.8
Status affected
Version < 7.10.12
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.22% 0.118
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 2.3 0 0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892