What is CVE-2026-49278?

CVE-2026-49278 is a medium-severity vulnerability in Rocketchat Rocket.chat, classified under Improper Authorization. CVSS score: 6.7/10. Published 2026-06-24.

How severe is CVE-2026-49278?

Medium severity. CVSS v3 base score is 6.7 out of 10.

Auth bypass in Rocketchat Rocket.chat

CVE-2026-49278

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-inf…

CVSS v3 metric

CVSS v3 base score 6.7 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L.

Affected products

Rocketchat Rocket.chat — versions >= 8.5.0-rc.0, < 8.5.0, >= 8.4.0-rc.0, < 8.4.2, >= 8.3.0-rc.0, < 8.3.4

Weakness classification (CWE)

CWE-285 — Improper Authorization

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-49278?: CVE-2026-49278 is a medium-severity vulnerability in Rocketchat Rocket.chat, classified under Improper Authorization. CVSS score: 6.7/10. Published 2026-06-24.
How severe is CVE-2026-49278?: Medium severity. CVSS v3 base score is 6.7 out of 10.