Skip to main content

Rocket.Chat CVE-2026-49278

| EUVDEUVD-2026-39099 MEDIUM
Improper Authorization (CWE-285)
2026-06-24 security-advisories@github.com
6.7
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.7 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
vuln.today AI
6.5 MEDIUM

Network endpoint requires high-privilege credentials; token harvesting is read-only so availability impact is none, not low.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 22:03 EUVD
Analysis Generated
Jun 24, 2026 - 21:44 vuln.today

DescriptionCVE.org

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

AnalysisAI

Rocket.Chat's Omnichannel visitors.info API endpoint exposes visitor session tokens in response payloads, enabling a privileged caller to capture and reuse those tokens for authentication bypass against LiveChat visitor identities. Affected deployments span multiple 7.x and 8.x release branches, with vendor-confirmed fixes across seven patch releases. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Omnichannel operator or admin
Delivery
Call GET /v1/livechat/visitors.info for target visitor
Exploit
Extract visitor token from API response body
Execution
Authenticate as victim visitor using harvested token
Impact
Impersonate visitor in active LiveChat session

Vulnerability AssessmentAI

Exploitation The caller must hold high-privilege credentials (administrator or Omnichannel operator role) sufficient to query the visitors.info endpoint, consistent with PR:H in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 6.7 (Medium) is anchored by PR:H, meaning only highly privileged accounts - administrators or Omnichannel operators - can call the visitors.info endpoint and trigger token exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Omnichannel operator or administrator issues a GET request to /v1/livechat/visitors.info with a target visitor's ID and extracts the visitor token from the response payload. The attacker then presents that token to authenticate as the visitor and interact with their LiveChat session - reading message history, sending messages on their behalf, or pivoting to any other function the visitor token authorizes. …
Remediation Upgrade to the nearest vendor-released fixed version matching your current deployment branch: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49278 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy