Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any authenticated user — including a standard user role account — can call this endpoint with {"setDeploymentAs": "new-workspace"} to permanently deregister the workspace from Rocket.Chat Cloud. This wipes all cloud credentials, removes the workspace license, breaks push notifications for all users, and requires manual re-registration to recover. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Affected products
- RocketChat / Rocket.Chat>= 8.5.0-rc.0, < 8.5.1 – >= 8.5.0-rc.0, < 8.5.1
- RocketChat / Rocket.Chat>= 8.4.0-rc.0, < 8.4.4 – >= 8.4.0-rc.0, < 8.4.4
- RocketChat / Rocket.Chat>= 8.3.0-rc.0, < 8.3.6 – >= 8.3.0-rc.0, < 8.3.6
- RocketChat / Rocket.Chat>= 8.2.0-rc.0, < 8.2.6 – >= 8.2.0-rc.0, < 8.2.6
- RocketChat / Rocket.Chat>= 8.1.0-rc.0, < 8.1.6 – >= 8.1.0-rc.0, < 8.1.6
- RocketChat / Rocket.Chat>= 7.11.0-rc.0, < 8.0.7 – >= 7.11.0-rc.0, < 8.0.7
- RocketChat / Rocket.Chat< 7.10.13 – < 7.10.13