Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Any authenticated low-privilege user can call a network endpoint with no UI (PR:L, AV:N, AC:L, UI:N); destructive deregistration harms integrity and availability but exposes no data, so C:N, I:H, A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any authenticated user - including a standard user role account - can call this endpoint with {"setDeploymentAs": "new-workspace"} to permanently deregister the workspace from Rocket.Chat Cloud. This wipes all cloud credentials, removes the workspace license, breaks push notifications for all users, and requires manual re-registration to recover. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.
AnalysisAI
{"setDeploymentAs": "new-workspace"}. The endpoint correctly requires authentication but performs no role/permission check (CWE-862), so the action wipes cloud credentials, removes the workspace license, and breaks push notifications for all users until manual re-registration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated session of any role - a standard, low-privilege user account suffices (CVSS PR:L); no admin rights, no user interaction, and no special configuration of the endpoint itself are needed beyond the workspace being registered with Rocket.Chat Cloud (so cloud-connected deployments are the realistic targets). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a genuine, easily-triggered integrity/availability problem rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or already holds an ordinary (non-admin) Rocket.Chat account on a target workspace, authenticates to obtain a session token, and sends a single POST to /api/v1/fingerprint with body {"setDeploymentAs": "new-workspace"}. The server deregisters from Rocket.Chat Cloud, invalidating cloud credentials and the license and silencing push notifications for every user until an admin manually re-registers. … |
| Remediation | Upgrade to the patched release for your branch: Rocket.Chat 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13 (Vendor-released patch per advisory GHSA-8hhc-j325-rxqp at https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-8hhc-j325-rxqp). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Restrict network access to the affected deployment endpoint to administrative IP ranges only via firewall or API gateway; audit workspace modification logs for unauthorized changes in the past 30 days; reset cloud workspace credentials as a precaution. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Rocket Chat
View allA sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti
A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentic
A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retriev
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. Rated high sev
An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed ema
An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with ph
A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth token
An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server meth
Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity
Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct
Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rated medium severity (CVSS 6.1), this vulnerability i
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39121