{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "8.5.0-rc.0"
              },
              {
                "fixed": "8.5.0"
              },
              {
                "introduced": "8.4.0-rc.0"
              },
              {
                "fixed": "8.4.2"
              },
              {
                "introduced": "8.3.0-rc.0"
              },
              {
                "fixed": "8.3.4"
              },
              {
                "introduced": "8.2.0-rc.0"
              },
              {
                "fixed": "8.2.4"
              },
              {
                "introduced": "8.1.0-rc.0"
              },
              {
                "fixed": "8.1.5"
              },
              {
                "introduced": "8.0.0-rc.0"
              },
              {
                "fixed": "8.0.6"
              },
              {
                "introduced": "7.11.0-rc.0"
              },
              {
                "fixed": "7.13.8"
              },
              {
                "introduced": "0"
              },
              {
                "fixed": "7.10.12"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "f3c2b8356043884f29c4d802668f3366a471c957"
            },
            {
              "fixed": "d0230e1ed86163b5cf9da57fda09fa86ea0b5c9f"
            },
            {
              "introduced": "c54eea7bf4c643534b78b65041a2fc78e4f122e0"
            },
            {
              "fixed": "9c1c81ce89909c5b443da253a3775babfa3b9a19"
            },
            {
              "introduced": "d7325cd940dd6908069999e4d168dea938ee2f52"
            },
            {
              "fixed": "05728f08d89625042872554c7a8a1e7bc23e5b61"
            },
            {
              "introduced": "d97ea5ff436e863332d7fd1fa086ef9a9d75cd52"
            },
            {
              "fixed": "7214edf5fdca3a54c3fe168aa3bb3860cad491ca"
            },
            {
              "introduced": "c04b2ca3d4dc586dc504794fa3048bb0c723f5b2"
            },
            {
              "fixed": "8819d70126d3cd6c0b7c5ece5ad6d76543150324"
            },
            {
              "introduced": "84481796011e0a74658b3e37ac96dd246da9466b"
            },
            {
              "fixed": "cf00658355b062dda86a8db6aaea4b7c5cb61749"
            },
            {
              "introduced": "de7ffad1fa219af50d6bc7ef06021db30fcbf183"
            },
            {
              "fixed": "35c0d839014cefb1a43f5dd7f30139bfa08fa0a2"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "7cd60f9bcb1845a6fb793a9ce55be0bb3c8f36d2"
            }
          ],
          "repo": "https://github.com/rocketchat/rocket.chat",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-39hg-492f-3c4f"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-613"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49277.json"
  },
  "details": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth access token, and can also mint a fresh access token from an existing refresh token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.",
  "id": "CVE-2026-49277",
  "modified": "2026-07-15T01:48:52.564957336Z",
  "published": "2026-06-24T21:04:09.602Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49277.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-39hg-492f-3c4f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49277"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Rocket.Chat: OAuth access and refresh tokens remain valid after account deactivation"
}