6.7
CVE-2026-49278
- EPSS 0.24%
- Veröffentlicht 24.06.2026 21:16:54
- Zuletzt bearbeitet 25.06.2026 14:19:40
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Rocket.Chat: Livechat Visitor Profile Disclosure Leaks Bearer Token and Enables Visitor Impersonation
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRocketChat
≫
Produkt
Rocket.Chat
Version
>= 8.5.0-rc.0, < 8.5.0
Status
affected
Version
>= 8.4.0-rc.0, < 8.4.2
Status
affected
Version
>= 8.3.0-rc.0, < 8.3.4
Status
affected
Version
>= 8.2.0-rc.0, < 8.2.4
Status
affected
Version
>= 8.1.0-rc.0, < 8.1.5
Status
affected
Version
>= 8.0.0-rc.0, < 8.0.6
Status
affected
Version
>= 7.11.0-rc.0, < 7.13.8
Status
affected
Version
< 7.10.12
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.153 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.7 | 1.2 | 5.5 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
|
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-cqj7-h8cj-jmf2