Skip to main content

Rocket.Chat EUVDEUVD-2026-39098

| CVE-2026-49277 LOW
Insufficient Session Expiration (CWE-613)
2026-06-24 security-advisories@github.com
2.3
CVSS 4.0 · Vendor: github

Severity by source

Vendor (github) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Deactivated user requires own OAuth token (PR:L); bearer use is trivial (AC:L); no user interaction needed; limited confidentiality and integrity impact, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 22:03 EUVD
Analysis Generated
Jun 24, 2026 - 21:44 vuln.today

DescriptionCVE.org

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth access token, and can also mint a fresh access token from an existing refresh token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

AnalysisAI

Insufficient OAuth token revocation in Rocket.Chat allows deactivated user accounts to maintain persistent, unauthorized access to the platform. Affected versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 fail to invalidate bearer or refresh tokens upon account deactivation, meaning a deactivated user can continue accessing resources with an existing bearer token or mint entirely new bearer tokens from a retained refresh token. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Retain OAuth refresh token before account deactivation
Delivery
Admin deactivates user account
Exploit
Exchange refresh token for new bearer token
Execution
Authenticate to Rocket.Chat API with new token
Persist
Access messages, files, and channels
Impact
Persist unauthorized access indefinitely

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be a formerly legitimate Rocket.Chat user whose account has been deactivated but not deleted, and who retains a previously issued OAuth bearer token or refresh token. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-reported CVSS 4.0 score of 2.3 (AV:N/AC:H/AT:N/PR:N/UI:P) reflects a conservative assessment, but several metric choices warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An employee is offboarded and their Rocket.Chat account is deactivated by an administrator. The former employee, retaining an OAuth refresh token from a previously authorized mobile or third-party application, uses that refresh token to obtain a new bearer token from Rocket.Chat's OAuth endpoint. …
Remediation Upgrade Rocket.Chat to one of the patched releases: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12, selecting the version that corresponds to the currently deployed release branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy