CVE-2026-45757
Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
| CWE | CWE-613 |
| Vendor | rocketchat |
| Product | rocket.chat |
| Published | Jun 24, 2026 |
| Last Updated | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for rocketchat rocket.chat
Be the first to know when new unknown vulnerabilities affecting rocketchat rocket.chat are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
RocketChat / Rocket.Chat
>= 8.5.0-rc.0, < 8.5.0 >= 8.4.0-rc.0, < 8.4.2 >= 8.3.0-rc.0, < 8.3.4 >= 8.2.0-rc.0, < 8.2.4 >= 8.1.0-rc.0, < 8.1.5 >= 8.0.0-rc.0, < 8.0.6 >= 7.11.0-rc.0, < 7.13.8 < 7.10.12