Vulnerability Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Related Weaknesses (CWE)
References
- https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w89
- https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w89
FAQ
What is CVE-2026-45757?
CVE-2026-45757 is a documented vulnerability. Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through ...
How severe is CVE-2026-45757?
CVSS scoring is not yet available for CVE-2026-45757. Check NVD for updates.
Is there a patch for CVE-2026-45757?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.