Rocket.Chat CVE-2026-48929
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
DDP method is network-reachable with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); impact is file deletion only, so C:N/I:N/A:H with no scope change.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.
AnalysisAI
Unauthenticated file deletion in Rocket.Chat allows remote attackers to permanently delete arbitrary uploaded files from a target server via the deleteFileMessage Meteor method over a DDP WebSocket connection. The flaw stems from an authorization check that is silently skipped when Meteor.userId() returns null on unauthenticated DDP sessions, letting any internet-accessible attacker destroy attachments whose IDs are discoverable from public channel messages and download URLs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must run a Rocket.Chat server older than the fixed versions (8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13) with its DDP WebSocket endpoint (typically /websocket on the same port as HTTP) reachable by the attacker - no account, API token, user interaction, or non-default configuration is required, matching AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H scores 7.5 and aligns cleanly with the description: network-reachable DDP endpoint, no authentication or user interaction, low complexity, and a pure availability impact (file destruction) with no read/modify primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker opens a raw DDP WebSocket to a public Rocket.Chat server, scrapes file IDs from messages in public channels (or from leaked download URLs), and issues method calls to deleteFileMessage with each ID; because Meteor.userId() is null on the unauthenticated socket, the authorization check is bypassed and each file is permanently removed from both storage and the database. The attack is scriptable in a few lines of JavaScript against any vulnerable instance, making it suitable for targeted sabotage of evidence, support transcripts, or shared design assets. |
| Remediation | Upgrade Rocket.Chat to one of the fixed versions on your maintenance line: 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, or 7.10.13, per the upstream patch in https://github.com/RocketChat/Rocket.Chat/pull/40889/ and the security advisory referenced from https://docs.rocket.chat/docs/security-fixes-and-updates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Confirm Rocket.Chat deployment and current version(s); review file deletion audit logs for unauthorized activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Rocket Chat
View allA sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti
A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentic
A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retriev
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. Rated high sev
An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed ema
An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with ph
A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth token
An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server meth
Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity
Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct
Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rated medium severity (CVSS 6.1), this vulnerability i
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today