Unrated severityNVD Advisory· Published Jun 24, 2026· Updated Jun 24, 2026

Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens

CVE-2026-45757

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

RocketChat/Rocket.chatllm-fuzzy
Range: <8.5.0

Patches

Vulnerability mechanics

References

github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000