CVE-2026-55762

HIGH 8.1

Rocket.Chat: Any Authenticated User Can Permanently Deregister Workspace from Rocket.Chat Cloud via Unprotected `/api/v1/fingerprint` Endpoint

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any authenticated user — including a standard user role account — can call this endpoint with {"setDeploymentAs": "new-workspace"} to permanently deregister the workspace from Rocket.Chat Cloud. This wipes all cloud credentials, removes the workspace license, breaks push notifications for all users, and requires manual re-registration to recover. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

CWE	CWE-862
Vendor	rocketchat
Product	rocket.chat
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for rocketchat rocket.chat

Be the first to know when new high vulnerabilities affecting rocketchat rocket.chat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

RocketChat / Rocket.Chat

>= 8.5.0-rc.0, < 8.5.1 >= 8.4.0-rc.0, < 8.4.4 >= 8.3.0-rc.0, < 8.3.6 >= 8.2.0-rc.0, < 8.2.6 >= 8.1.0-rc.0, < 8.1.6 >= 7.11.0-rc.0, < 8.0.7 < 7.10.13

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-8hhc-j325-rxqp