Skip to main content

Rocket.Chat EUVDEUVD-2026-39097

| CVE-2026-45757 LOW
Insufficient Session Expiration (CWE-613)
2026-06-24 security-advisories@github.com
2.3
CVSS 4.0 · Vendor: github

Severity by source

Vendor (github) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.2 MEDIUM

AV:N for REST API access, AC:H because exploitation depends on the specific idle-deactivation workflow and retained token; PR:L because the attacker previously held valid user credentials on the instance.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 22:03 EUVD
Analysis Generated
Jun 24, 2026 - 21:43 vuln.today

DescriptionCVE.org

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

AnalysisAI

Insufficient session expiration in Rocket.Chat allows users administratively deactivated via the users.deactivateIdle mechanism to continue accessing authenticated REST API endpoints using previously-issued login tokens that were never invalidated. All Rocket.Chat deployments across the 7.x and 8.x release branches prior to the fixed versions are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Admin runs users.deactivateIdle API
Delivery
Target user account marked inactive, token not revoked
Exploit
Deactivated user retains previously-issued login token
Execution
User sends authenticated REST API request using stale token
Persist
Server accepts token without checking deactivation status
Impact
Unauthorized read or write access to Rocket.Chat data

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific, concurrent conditions: (1) an administrator must have deactivated the target user account specifically via the users.deactivateIdle administrative API - this does not apply to manual deactivation through the admin UI or account deletion, which may follow different token-handling code paths; (2) the deactivated user must still hold a previously-issued, unexpired login token from a session that was active before deactivation; and (3) the user must be aware of their deactivation and choose to continue using the old token against the REST API. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.3 (AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N) accurately reflects a low-priority issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A former employee whose Rocket.Chat account was deactivated by an administrator using the users.deactivateIdle API retains their login token from an active session. Because the platform does not invalidate the token on idle-deactivation, the user continues to send REST API requests - reading messages, accessing files, or modifying channel content - as if their account remained active. …
Remediation Upgrade to one of the vendor-patched releases: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, or 8.0.6 in the 8.x branch, or 7.13.8 and 7.10.12 in the 7.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy