Skip to main content

Rocket.Chat CVE-2026-45687

| EUVDEUVD-2026-39092 HIGH
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-06-24 security-advisories@github.com
8.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
8.5 HIGH

Any authenticated user can trigger it over the network with low complexity (PR:L, AV:N, AC:L); rewriting storage metadata to access other data crosses a security boundary (S:C) yielding high confidentiality, low integrity, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 22:03 EUVD
Analysis Generated
Jun 24, 2026 - 21:37 vuln.today

DescriptionCVE.org

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

AnalysisAI

Insecure object property modification (mass assignment) in Rocket.Chat's file-upload completion flow allows a low-privileged authenticated user to overwrite arbitrary fields on their own upload record, including the storage backend (store) and store-specific path fields. The flaw stems from sendFileMessage passing the entire attacker-controlled file object into Uploads.updateFileComplete, which Object.assigns it into a MongoDB $set with no writable-field allow-list, enabling an attacker to repoint their upload metadata at arbitrary storage locations and disclose sensitive data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged user
Delivery
Initiate file upload via DDP
Exploit
Craft sendFileMessage with malicious store/path fields
Execution
Mass-assignment merges into Mongo $set
Persist
Repoint upload record to attacker-chosen storage location
Impact
Retrieve and disclose unauthorized data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Rocket.Chat account with permission to upload files (CVSS PR:L) and the ability to invoke the sendFileMessage DDP method with a manipulated file object - i.e., the attacker must control the file metadata sent during upload completion, which standard clients allow via the DDP/WebSocket API. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, base 8.5) describes a network-reachable, low-complexity attack requiring only low privileges (any authenticated user can upload files) with no user interaction, a changed scope, and high confidentiality impact - consistent with the description of cross-record/storage repointing leading to information disclosure (matching the 'Information Disclosure' tag). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user with a valid Rocket.Chat account uploads a file and intercepts/crafts the sendFileMessage DDP call, injecting extra fields such as 'store' and the store-specific 'path' into the file object. Because updateFileComplete merges these directly into the Mongo $set, the attacker rewrites their upload record to point at a different storage location or backend, causing the platform to serve content the attacker should not be able to reference and disclosing sensitive data. …
Remediation Upgrade to a patched release on your branch: Rocket.Chat 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11 (pick the fixed version matching your current major/minor line) per the vendor advisory at https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-fhc2-x8cp-c5ch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Enumerate all Rocket.Chat instances; document current versions; assess file-upload exposure to user base. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45687 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy