{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "8.5.0-rc.0"
              },
              {
                "fixed": "8.5.0"
              },
              {
                "introduced": "8.4.0-rc.0"
              },
              {
                "fixed": "8.4.2"
              },
              {
                "introduced": "8.3.0-rc.0"
              },
              {
                "fixed": "8.3.4"
              },
              {
                "introduced": "8.2.0-rc.0"
              },
              {
                "fixed": "8.2.4"
              },
              {
                "introduced": "8.1.0-rc.0"
              },
              {
                "fixed": "8.1.5"
              },
              {
                "introduced": "8.0.0-rc.0"
              },
              {
                "fixed": "8.0.6"
              },
              {
                "introduced": "7.11.0-rc.0"
              },
              {
                "fixed": "7.13.8"
              },
              {
                "introduced": "0"
              },
              {
                "fixed": "7.10.12"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "f3c2b8356043884f29c4d802668f3366a471c957"
            },
            {
              "fixed": "d0230e1ed86163b5cf9da57fda09fa86ea0b5c9f"
            },
            {
              "introduced": "c54eea7bf4c643534b78b65041a2fc78e4f122e0"
            },
            {
              "fixed": "9c1c81ce89909c5b443da253a3775babfa3b9a19"
            },
            {
              "introduced": "d7325cd940dd6908069999e4d168dea938ee2f52"
            },
            {
              "fixed": "05728f08d89625042872554c7a8a1e7bc23e5b61"
            },
            {
              "introduced": "d97ea5ff436e863332d7fd1fa086ef9a9d75cd52"
            },
            {
              "fixed": "7214edf5fdca3a54c3fe168aa3bb3860cad491ca"
            },
            {
              "introduced": "c04b2ca3d4dc586dc504794fa3048bb0c723f5b2"
            },
            {
              "fixed": "8819d70126d3cd6c0b7c5ece5ad6d76543150324"
            },
            {
              "introduced": "84481796011e0a74658b3e37ac96dd246da9466b"
            },
            {
              "fixed": "cf00658355b062dda86a8db6aaea4b7c5cb61749"
            },
            {
              "introduced": "de7ffad1fa219af50d6bc7ef06021db30fcbf183"
            },
            {
              "fixed": "35c0d839014cefb1a43f5dd7f30139bfa08fa0a2"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "7cd60f9bcb1845a6fb793a9ce55be0bb3c8f36d2"
            }
          ],
          "repo": "https://github.com/rocketchat/rocket.chat",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-cqj7-h8cj-jmf2"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-285"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49278.json"
  },
  "details": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.",
  "id": "CVE-2026-49278",
  "modified": "2026-07-15T01:48:52.043965830Z",
  "published": "2026-06-24T21:05:33.587Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49278.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-cqj7-h8cj-jmf2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49278"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rocket.Chat: Livechat Visitor Profile Disclosure Leaks Bearer Token and Enables Visitor Impersonation"
}