Rocket.Chat CVE-2026-48616
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Endpoint is internet-reachable with no auth (AV:N/AC:L/PR:N/UI:N); Livechat auth boundary is crossed to read other rooms' files (S:C, C:H); predictable IDs allow some write-side abuse via enumeration (I:L); no availability impact.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.
AnalysisAI
Unauthenticated information disclosure in Rocket.Chat allows remote attackers to enumerate and download arbitrary uploaded files via the Livechat file-download endpoint. The flaw at /file-upload/:fileId/:name validates rc_token against rc_rid but never checks that rc_rid matches the requested file's actual room ID, and sequential MongoDB ObjectIDs make :fileId predictable, enabling discovery of all uploads. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Rocket.Chat server has the Livechat/Omnichannel feature enabled (so the rc_room_type=l authorization branch is reachable) and that the attacker can obtain one valid rc_rid + rc_token pair, which any visitor can self-issue by initiating a Livechat session - no Rocket.Chat user account, admin role, or user interaction from a victim is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N (9.3 Critical) aligns with the description: network-reachable endpoint, no authentication, low complexity, scope change (Livechat trust boundary crossed to access other rooms' files), with high confidentiality impact via mass file exfiltration and low integrity impact (predictable IDs let an attacker iterate). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker opens a Livechat session on the target Rocket.Chat instance (or any instance with Livechat enabled), capturing their own valid rc_rid and rc_token. They then script GET requests to /file-upload/<incrementing MongoDB ObjectId>/x with rc_room_type=l plus their captured rc_rid/rc_token, iterating ObjectIds derived from known timestamps to bulk-download every uploaded file across all rooms and tenants, including private channel attachments and DMs. |
| Remediation | Vendor-released patch: upgrade Rocket.Chat to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, or 7.10.13 (whichever matches your current branch), tracked in PR https://github.com/RocketChat/Rocket.Chat/pull/40889 and the security hotfix notice at https://docs.rocket.chat/docs/security-fixes-and-updates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Rocket.Chat deployments and document versions; assess network exposure of the /file-upload endpoint; review logs for suspicious file enumeration patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Rocket Chat
View allA sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti
A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentic
A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retriev
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. Rated high sev
An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed ema
An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with ph
A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth token
An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server meth
Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity
Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct
Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rated medium severity (CVSS 6.1), this vulnerability i
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today