CVE-2026-55762

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 8.5.1 Rocket.Chat versions prior to 8.4.4 Rocket.Chat versions prior to 8.3.6 Rocket.Chat versions prior to 8.2.6 Rocket.Chat versions prior to 8.1.6 Rocket.Chat versions prior to 8.0.7 Rocket.Chat versions prior to 7.10.13

Description The 'POST /api/v1/fingerprint' REST endpoint requires authentication but lacks an authorization check. This allows any authenticated user, regardless of their role, to send a request with the setDeploymentAs variable set to "new-workspace". Such an action permanently deregisters the workspace from Rocket.Chat Cloud, resulting in the deletion of cloud credentials, removal of the workspace license, and failure of push notifications for all users, necessitating a manual re-registration process for recovery.

Recommendations Update to version 8.5.1 Update to version 8.4.4 Update to version 8.3.6 Update to version 8.2.6 Update to version 8.1.6 Update to version 8.0.7 Update to version 7.10.13 As a temporary workaround, restrict access to the 'POST /api/v1/fingerprint' endpoint to prevent unauthorized users from modifying workspace registration.