Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Network endpoint requires high-privilege credentials; token harvesting is read-only so availability impact is none, not low.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
AnalysisAI
Rocket.Chat's Omnichannel visitors.info API endpoint exposes visitor session tokens in response payloads, enabling a privileged caller to capture and reuse those tokens for authentication bypass against LiveChat visitor identities. Affected deployments span multiple 7.x and 8.x release branches, with vendor-confirmed fixes across seven patch releases. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The caller must hold high-privilege credentials (administrator or Omnichannel operator role) sufficient to query the visitors.info endpoint, consistent with PR:H in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 6.7 (Medium) is anchored by PR:H, meaning only highly privileged accounts - administrators or Omnichannel operators - can call the visitors.info endpoint and trigger token exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Omnichannel operator or administrator issues a GET request to /v1/livechat/visitors.info with a target visitor's ID and extracts the visitor token from the response payload. The attacker then presents that token to authenticate as the visitor and interact with their LiveChat session - reading message history, sending messages on their behalf, or pivoting to any other function the visitor token authorizes. … |
| Remediation | Upgrade to the nearest vendor-released fixed version matching your current deployment branch: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39099