{"api_version":"1","generated_at":"2026-06-25T03:50:34+00:00","cve":"CVE-2026-45757","urls":{"html":"https://cve.report/CVE-2026-45757","api":"https://cve.report/api/cve/CVE-2026-45757.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45757","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45757"},"summary":{"title":"Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens","description":"Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-24 21:16:54","updated_at":"2026-06-24 21:16:54"},"problem_types":["CWE-613","CWE-613 CWE-613: Insufficient Session Expiration"],"metrics":[{"version":"4.0","source":"security-advisories@github.com","type":"Secondary","score":"2.3","severity":"LOW","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"2.3","severity":"LOW","vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N","data":{"attackComplexity":"HIGH","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":2.3,"baseSeverity":"LOW","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW"}}],"references":[{"url":"https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892","name":"https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45757","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45757","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"RocketChat","product":"Rocket.Chat","version":"affected >= 8.5.0-rc.0, < 8.5.0","platforms":[]},{"source":"CNA","vendor":"RocketChat","product":"Rocket.Chat","version":"affected >= 8.4.0-rc.0, < 8.4.2","platforms":[]},{"source":"CNA","vendor":"RocketChat","product":"Rocket.Chat","version":"affected >= 8.3.0-rc.0, < 8.3.4","platforms":[]},{"source":"CNA","vendor":"RocketChat","product":"Rocket.Chat","version":"affected >= 8.2.0-rc.0, < 8.2.4","platforms":[]},{"source":"CNA","vendor":"RocketChat","product":"Rocket.Chat","version":"affected >= 8.1.0-rc.0, < 8.1.5","platforms":[]},{"source":"CNA","vendor":"RocketChat","product":"Rocket.Chat","version":"affected >= 8.0.0-rc.0, < 8.0.6","platforms":[]},{"source":"CNA","vendor":"RocketChat","product":"Rocket.Chat","version":"affected >= 7.11.0-rc.0, < 7.13.8","platforms":[]},{"source":"CNA","vendor":"RocketChat","product":"Rocket.Chat","version":"affected < 7.10.12","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"Rocket.Chat","vendor":"RocketChat","versions":[{"status":"affected","version":">= 8.5.0-rc.0, < 8.5.0"},{"status":"affected","version":">= 8.4.0-rc.0, < 8.4.2"},{"status":"affected","version":">= 8.3.0-rc.0, < 8.3.4"},{"status":"affected","version":">= 8.2.0-rc.0, < 8.2.4"},{"status":"affected","version":">= 8.1.0-rc.0, < 8.1.5"},{"status":"affected","version":">= 8.0.0-rc.0, < 8.0.6"},{"status":"affected","version":">= 7.11.0-rc.0, < 7.13.8"},{"status":"affected","version":"< 7.10.12"}]}],"descriptions":[{"lang":"en","value":"Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12."}],"metrics":[{"cvssV4_0":{"attackComplexity":"HIGH","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":2.3,"baseSeverity":"LOW","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-613","description":"CWE-613: Insufficient Session Expiration","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-24T21:02:14.090Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892","tags":["x_refsource_CONFIRM"],"url":"https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-6g3w-vg5p-w892"}],"source":{"advisory":"GHSA-6g3w-vg5p-w892","discovery":"UNKNOWN"},"title":"Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-45757","datePublished":"2026-06-24T21:01:56.286Z","dateReserved":"2026-05-13T06:54:34.221Z","dateUpdated":"2026-06-24T21:02:14.090Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 21:16:54","lastModifiedDate":"2026-06-24 21:16:54","problem_types":["CWE-613","CWE-613 CWE-613: Insufficient Session Expiration"],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45757","Ordinal":"1","Title":"Rocket.Chat: users.deactivateIdle` deactivates accounts without ","CVE":"CVE-2026-45757","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45757","Ordinal":"1","NoteData":"Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.","Type":"Description","Title":"Rocket.Chat: users.deactivateIdle` deactivates accounts without "}]}}}