CVE-2026-55762 Overview
CVE-2026-55762 is a missing authorization vulnerability [CWE-862] in Rocket.Chat, an open-source communications platform. The POST /api/v1/fingerprint REST endpoint enforces authentication but performs no authorization check on the caller's role. Any authenticated user, including standard non-privileged accounts, can submit the payload {"setDeploymentAs": "new-workspace"} to deregister the workspace from Rocket.Chat Cloud. The action wipes cloud credentials, removes the workspace license, and breaks push notifications for every user on the deployment. Recovery requires manual re-registration. The issue is fixed in versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.
Critical Impact
A single low-privileged authenticated user can permanently deregister a Rocket.Chat workspace from Rocket.Chat Cloud, destroying licensing and push notification capabilities.
Affected Products
- Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13
- Self-hosted Rocket.Chat deployments registered with Rocket.Chat Cloud
- Rocket.Chat workspaces relying on cloud-issued push notification credentials
Discovery Timeline
- 2026-06-24 - CVE-2026-55762 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-55762
Vulnerability Analysis
The vulnerability resides in the POST /api/v1/fingerprint REST endpoint. The endpoint is declared with authRequired: true, which gates access behind a valid session. However, it does not verify whether the caller holds an administrative role before mutating workspace registration state. A request body containing {"setDeploymentAs": "new-workspace"} triggers the workspace to re-identify itself as a fresh deployment to Rocket.Chat Cloud. This severs the existing cloud association, invalidates licenses, and removes credentials needed for push notification delivery through the Apple Push Notification service and Firebase Cloud Messaging relays. Recovery is not automatic. Administrators must manually re-register the workspace with Rocket.Chat Cloud to restore licensed features and mobile notifications.
Root Cause
The root cause is a missing authorization check [CWE-862] on a sensitive administrative API. Authentication confirms identity but does not enforce role-based permissions. The endpoint should restrict deployment-altering operations to users holding the admin role, but the code path proceeds for any authenticated principal.
Attack Vector
Exploitation requires network access to the Rocket.Chat REST API and a valid authenticated session, including a standard user account. The attacker sends an HTTP POST to /api/v1/fingerprint with the setDeploymentAs field set to new-workspace. No user interaction is required from administrators. The attack delivers no confidentiality impact but produces high integrity and availability impact across the deployment.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-8hhc-j325-rxqp for vendor technical detail.
Detection Methods for CVE-2026-55762
Indicators of Compromise
- HTTP POST requests to /api/v1/fingerprint containing the JSON body field setDeploymentAs with value new-workspace
- Sudden loss of Rocket.Chat Cloud license status or push notification delivery failures across all mobile clients
- Unexpected workspace re-registration prompts in the Rocket.Chat administrative console
- API calls to the fingerprint endpoint originating from non-administrator user accounts
Detection Strategies
- Audit web access logs and reverse proxy logs for POST requests to /api/v1/fingerprint and correlate with the authenticated user identifier in X-User-Id headers
- Alert when the fingerprint endpoint is invoked by an account that does not hold the admin role
- Monitor Rocket.Chat audit logs for workspace deregistration events and license state transitions
Monitoring Recommendations
- Forward Rocket.Chat application and HTTP access logs to a centralized logging platform for retention and correlation
- Create alerting rules tied to push notification service health and license expiration callbacks from Rocket.Chat Cloud
- Track baseline call frequency for administrative API endpoints and flag deviations
How to Mitigate CVE-2026-55762
Immediate Actions Required
- Upgrade Rocket.Chat to a patched version: 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, or 7.10.13 matching the deployed release branch
- Review existing user accounts and remove or downgrade any that are no longer needed to reduce the authenticated attack surface
- Verify workspace cloud registration status and capture current license and registration identifiers before patching
Patch Information
The vendor released fixes in Rocket.Chat versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. Patched releases add the missing authorization check to the /api/v1/fingerprint endpoint. See the GitHub Security Advisory GHSA-8hhc-j325-rxqp for release details.
Workarounds
- Restrict access to the Rocket.Chat REST API at the network perimeter or reverse proxy layer, blocking unauthenticated network paths to /api/v1/fingerprint
- Apply a reverse proxy rule that rejects POST requests to /api/v1/fingerprint until the patched version is deployed
- If deregistration occurs, manually re-register the workspace with Rocket.Chat Cloud to restore licenses and push notifications
# Example NGINX rule to block the vulnerable endpoint until patching completes
location = /api/v1/fingerprint {
if ($request_method = POST) {
return 403;
}
proxy_pass http://rocketchat_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

