Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49278

CVE-2026-49278: Rocket.Chat Information Disclosure Flaw

CVE-2026-49278 is an information disclosure vulnerability in Rocket.Chat that exposes sensitive visitor tokens through the API endpoint. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-49278 Overview

CVE-2026-49278 is an information disclosure vulnerability in Rocket.Chat, an open-source communications platform. The visitors.info endpoint returns a sensitive token field in its API response when callers request visitor information by ID. The token has no documented use case in the response payload and exposes authentication material to any authenticated caller permitted to query visitor data. The issue affects Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. The vulnerability is tracked under [CWE-285] Improper Authorization.

Critical Impact

Authenticated callers can retrieve visitor tokens through the visitors.info API, enabling potential impersonation of live chat visitors and access to associated conversations.

Affected Products

  • Rocket.Chat versions prior to 8.5.0 on the 8.5.x branch
  • Rocket.Chat versions prior to 8.4.2, 8.3.4, 8.2.4, 8.1.5, and 8.0.6 on the 8.x branch
  • Rocket.Chat versions prior to 7.13.8 and 7.10.12 on the 7.x branch

Discovery Timeline

  • 2026-06-24 - CVE-2026-49278 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-49278

Vulnerability Analysis

The vulnerability resides in the visitors.info REST endpoint exposed by the Rocket.Chat Omnichannel module. When a caller queries the endpoint with a visitor identifier, the server serializes the full visitor object including the internal token field. The token is used to associate a live chat visitor with their session and conversations, and it should not leave the server-to-client boundary in administrative or agent-facing responses.

Returning the token in the response widens the trust boundary unnecessarily. Any operator with permission to call visitors.info gains access to credentials that can be replayed against other Omnichannel APIs to act on behalf of the visitor.

The attack requires network access to the Rocket.Chat API and high privileges to call the endpoint. Confidentiality and integrity impact are rated high because a leaked visitor token allows reading and writing to that visitor's conversations.

Root Cause

The response serializer for visitors.info did not strip the token property from the visitor document before returning it to the client. This is an authorization design defect [CWE-285]: the field is technically owned by the visitor identity, but the endpoint exposed it to a different principal class without need.

Attack Vector

An authenticated user with permission to query the visitors.info endpoint sends a request referencing a visitor ID. The JSON response includes the visitor token alongside profile information. The attacker captures the token and uses it with the Omnichannel APIs that accept a visitor token for authentication, allowing them to impersonate the visitor in chat sessions. The full request and response details are documented in the Rocket.Chat API reference and the GitHub Security Advisory GHSA-cqj7-h8cj-jmf2.

Detection Methods for CVE-2026-49278

Indicators of Compromise

  • HTTP GET requests to /api/v1/livechat/visitors.info originating from accounts that do not normally administer Omnichannel.
  • Subsequent Omnichannel API calls authenticated with a visitor token from a source IP different from the visitor's historical sessions.
  • Unusual volume of visitors.info lookups against many visitor IDs in a short window, suggesting enumeration.

Detection Strategies

  • Audit Rocket.Chat access logs for calls to visitors.info and correlate the requesting user identity with their assigned role.
  • Compare visitor token usage across source addresses and user agents to flag replay from new locations.
  • Alert when administrative or agent accounts pull visitor records at rates inconsistent with manual operation.

Monitoring Recommendations

  • Forward Rocket.Chat application and reverse proxy logs to a centralized analytics platform with retention sufficient for forensic review.
  • Build a dashboard tracking calls to visitors.info by user, endpoint, and response size.
  • Monitor for newly created API tokens or personal access tokens that immediately query Omnichannel endpoints.

How to Mitigate CVE-2026-49278

Immediate Actions Required

  • Upgrade Rocket.Chat to one of the fixed releases: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12.
  • Inventory accounts with permission to call visitors.info and remove the role from operators who do not need it.
  • Rotate any visitor tokens that may have been exposed by reviewing live chat sessions issued before the upgrade.

Patch Information

Rocket.Chat removed the token field from the visitors.info response in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. Patch details are published in the GitHub Security Advisory GHSA-cqj7-h8cj-jmf2. Apply the upgrade through your normal Rocket.Chat deployment workflow and validate that the response from visitors.info no longer contains a token property.

Workarounds

  • Restrict the view-l-room and related Omnichannel permissions to a minimal set of trusted agents until the upgrade is applied.
  • Place an API gateway or reverse proxy rule in front of Rocket.Chat that strips the token field from visitors.info JSON responses.
  • Disable or limit external network exposure of the Rocket.Chat REST API to internal addresses only during the remediation window.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.