Skip to main content

Rocket.Chat EUVDEUVD-2026-39121

| CVE-2026-55762 HIGH
Missing Authorization (CWE-862)
2026-06-24 GitHub_M
8.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
8.1 HIGH

Any authenticated low-privilege user can call a network endpoint with no UI (PR:L, AV:N, AC:L, UI:N); destructive deregistration harms integrity and availability but exposes no data, so C:N, I:H, A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 23:03 EUVD
Analysis Generated
Jun 24, 2026 - 22:15 vuln.today

DescriptionCVE.org

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any authenticated user - including a standard user role account - can call this endpoint with {"setDeploymentAs": "new-workspace"} to permanently deregister the workspace from Rocket.Chat Cloud. This wipes all cloud credentials, removes the workspace license, breaks push notifications for all users, and requires manual re-registration to recover. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

AnalysisAI

{"setDeploymentAs": "new-workspace"}. The endpoint correctly requires authentication but performs no role/permission check (CWE-862), so the action wipes cloud credentials, removes the workspace license, and breaks push notifications for all users until manual re-registration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain standard authenticated account
Delivery
Authenticate to get session token
Exploit
POST /api/v1/fingerprint setDeploymentAs new-workspace
Execution
Server skips authorization check
Impact
Workspace deregistered, license and push wiped

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated session of any role - a standard, low-privilege user account suffices (CVSS PR:L); no admin rights, no user interaction, and no special configuration of the endpoint itself are needed beyond the workspace being registered with Rocket.Chat Cloud (so cloud-connected deployments are the realistic targets). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine, easily-triggered integrity/availability problem rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds an ordinary (non-admin) Rocket.Chat account on a target workspace, authenticates to obtain a session token, and sends a single POST to /api/v1/fingerprint with body {"setDeploymentAs": "new-workspace"}. The server deregisters from Rocket.Chat Cloud, invalidating cloud credentials and the license and silencing push notifications for every user until an admin manually re-registers. …
Remediation Upgrade to the patched release for your branch: Rocket.Chat 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13 (Vendor-released patch per advisory GHSA-8hhc-j325-rxqp at https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-8hhc-j325-rxqp). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Restrict network access to the affected deployment endpoint to administrative IP ranges only via firewall or API gateway; audit workspace modification logs for unauthorized changes in the past 30 days; reset cloud workspace credentials as a precaution. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-22910 CRITICAL POC
9.8 Aug 09

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an

CVE-2021-22911 CRITICAL POC
9.8 May 27

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti

CVE-2022-35248 HIGH POC
8.8 Sep 23

A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentic

CVE-2022-32211 HIGH POC
8.8 Sep 23

A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retriev

CVE-2024-39713 HIGH POC
8.6 Aug 05

A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. Rated high sev

CVE-2021-22892 HIGH POC
7.5 May 27

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed ema

CVE-2022-30124 MEDIUM POC
6.8 Sep 23

An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with ph

CVE-2022-32227 MEDIUM POC
6.5 Sep 23

A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth token

CVE-2022-32220 MEDIUM POC
6.5 Sep 23

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server meth

CVE-2021-32832 MEDIUM POC
6.5 Aug 30

Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity

CVE-2020-15926 MEDIUM POC
6.1 Aug 18

Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct

CVE-2019-17220 MEDIUM POC
6.1 Oct 21

Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rated medium severity (CVSS 6.1), this vulnerability i

Share

EUVD-2026-39121 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy