Skip to main content

Rocket.Chat CVE-2026-48616

CRITICAL
Improper Access Control (CWE-284)
2026-06-16 hackerone
9.3
CVSS 3.0 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
9.3 CRITICAL

Endpoint is internet-reachable with no auth (AV:N/AC:L/PR:N/UI:N); Livechat auth boundary is crossed to read other rooms' files (S:C, C:H); predictable IDs allow some write-side abuse via enumeration (I:L); no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 00:12 vuln.today
Analysis Generated
Jun 17, 2026 - 00:12 vuln.today

DescriptionCVE.org

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.

AnalysisAI

Unauthenticated information disclosure in Rocket.Chat allows remote attackers to enumerate and download arbitrary uploaded files via the Livechat file-download endpoint. The flaw at /file-upload/:fileId/:name validates rc_token against rc_rid but never checks that rc_rid matches the requested file's actual room ID, and sequential MongoDB ObjectIDs make :fileId predictable, enabling discovery of all uploads. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Rocket.Chat instance with Livechat enabled
Delivery
Open Livechat session to obtain rc_rid and rc_token
Exploit
Enumerate sequential MongoDB ObjectIds for fileId
Execution
Request /file-upload/:fileId/x with rc_room_type=l
Persist
Bypass per-file rid check and download arbitrary uploads
Impact
Exfiltrate sensitive attachments across rooms

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Rocket.Chat server has the Livechat/Omnichannel feature enabled (so the rc_room_type=l authorization branch is reachable) and that the attacker can obtain one valid rc_rid + rc_token pair, which any visitor can self-issue by initiating a Livechat session - no Rocket.Chat user account, admin role, or user interaction from a victim is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N (9.3 Critical) aligns with the description: network-reachable endpoint, no authentication, low complexity, scope change (Livechat trust boundary crossed to access other rooms' files), with high confidentiality impact via mass file exfiltration and low integrity impact (predictable IDs let an attacker iterate). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker opens a Livechat session on the target Rocket.Chat instance (or any instance with Livechat enabled), capturing their own valid rc_rid and rc_token. They then script GET requests to /file-upload/<incrementing MongoDB ObjectId>/x with rc_room_type=l plus their captured rc_rid/rc_token, iterating ObjectIds derived from known timestamps to bulk-download every uploaded file across all rooms and tenants, including private channel attachments and DMs.
Remediation Vendor-released patch: upgrade Rocket.Chat to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, or 7.10.13 (whichever matches your current branch), tracked in PR https://github.com/RocketChat/Rocket.Chat/pull/40889 and the security hotfix notice at https://docs.rocket.chat/docs/security-fixes-and-updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Rocket.Chat deployments and document versions; assess network exposure of the /file-upload endpoint; review logs for suspicious file enumeration patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-22910 CRITICAL POC
9.8 Aug 09

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an

CVE-2021-22911 CRITICAL POC
9.8 May 27

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti

CVE-2022-35248 HIGH POC
8.8 Sep 23

A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentic

CVE-2022-32211 HIGH POC
8.8 Sep 23

A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retriev

CVE-2024-39713 HIGH POC
8.6 Aug 05

A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. Rated high sev

CVE-2021-22892 HIGH POC
7.5 May 27

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed ema

CVE-2022-30124 MEDIUM POC
6.8 Sep 23

An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with ph

CVE-2022-32227 MEDIUM POC
6.5 Sep 23

A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth token

CVE-2022-32220 MEDIUM POC
6.5 Sep 23

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server meth

CVE-2021-32832 MEDIUM POC
6.5 Aug 30

Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity

CVE-2020-15926 MEDIUM POC
6.1 Aug 18

Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct

CVE-2019-17220 MEDIUM POC
6.1 Oct 21

Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rated medium severity (CVSS 6.1), this vulnerability i

Share

CVE-2026-48616 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy