CVE-2026-45757 | Rocket.Chat is an open-source, secure, fully customizable co… | CVSS 2.3 LOW

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

Metadata

CVE ID: CVE-2026-45757
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-13 06:54 UTC
Published: 2026-06-24 21:01 UTC
Last updated: 2026-06-24 21:02 UTC
Primary CWE: CWE-613
CWE-613: Insufficient Session Expiration
Vendor / Product: RocketChat / Rocket.Chat
Sources: cve.org · NVD

Severity & Metrics

2.3 LOW CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
RocketChat	Rocket.Chat	—	>= 8.5.0-rc.0, < 8.5.0, >= 8.4.0-rc.0, < 8.4.2, >= 8.3.0-rc.0, < 8.3.4, >= 8.2.0-rc.0, < 8.2.4 …

Weakness (CWE)

CWE	Source	Description
CWE-613	cna	CWE-613: Insufficient Session Expiration

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.3	LOW	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (1)

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892 https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892