Skip to main content

Rocket.Chat CVE-2026-48929

HIGH
Improper Authentication (CWE-287)
2026-06-16 hackerone
7.5
CVSS 3.0 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

DDP method is network-reachable with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); impact is file deletion only, so C:N/I:N/A:H with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 00:11 vuln.today
Analysis Generated
Jun 17, 2026 - 00:11 vuln.today

DescriptionCVE.org

Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.

AnalysisAI

Unauthenticated file deletion in Rocket.Chat allows remote attackers to permanently delete arbitrary uploaded files from a target server via the deleteFileMessage Meteor method over a DDP WebSocket connection. The flaw stems from an authorization check that is silently skipped when Meteor.userId() returns null on unauthenticated DDP sessions, letting any internet-accessible attacker destroy attachments whose IDs are discoverable from public channel messages and download URLs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Rocket.Chat DDP endpoint
Delivery
Open unauthenticated WebSocket session
Exploit
Harvest file IDs from public channels
Execution
Call deleteFileMessage Meteor method
Persist
Bypass null-user authorization check
Impact
Permanently destroy file in storage and DB

Vulnerability AssessmentAI

Exploitation The target must run a Rocket.Chat server older than the fixed versions (8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13) with its DDP WebSocket endpoint (typically /websocket on the same port as HTTP) reachable by the attacker - no account, API token, user interaction, or non-default configuration is required, matching AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H scores 7.5 and aligns cleanly with the description: network-reachable DDP endpoint, no authentication or user interaction, low complexity, and a pure availability impact (file destruction) with no read/modify primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker opens a raw DDP WebSocket to a public Rocket.Chat server, scrapes file IDs from messages in public channels (or from leaked download URLs), and issues method calls to deleteFileMessage with each ID; because Meteor.userId() is null on the unauthenticated socket, the authorization check is bypassed and each file is permanently removed from both storage and the database. The attack is scriptable in a few lines of JavaScript against any vulnerable instance, making it suitable for targeted sabotage of evidence, support transcripts, or shared design assets.
Remediation Upgrade Rocket.Chat to one of the fixed versions on your maintenance line: 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, or 7.10.13, per the upstream patch in https://github.com/RocketChat/Rocket.Chat/pull/40889/ and the security advisory referenced from https://docs.rocket.chat/docs/security-fixes-and-updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Confirm Rocket.Chat deployment and current version(s); review file deletion audit logs for unauthorized activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-22910 CRITICAL POC
9.8 Aug 09

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an

CVE-2021-22911 CRITICAL POC
9.8 May 27

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti

CVE-2022-35248 HIGH POC
8.8 Sep 23

A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentic

CVE-2022-32211 HIGH POC
8.8 Sep 23

A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retriev

CVE-2024-39713 HIGH POC
8.6 Aug 05

A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. Rated high sev

CVE-2021-22892 HIGH POC
7.5 May 27

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed ema

CVE-2022-30124 MEDIUM POC
6.8 Sep 23

An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with ph

CVE-2022-32227 MEDIUM POC
6.5 Sep 23

A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth token

CVE-2022-32220 MEDIUM POC
6.5 Sep 23

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server meth

CVE-2021-32832 MEDIUM POC
6.5 Aug 30

Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity

CVE-2020-15926 MEDIUM POC
6.1 Aug 18

Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct

CVE-2019-17220 MEDIUM POC
6.1 Oct 21

Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rated medium severity (CVSS 6.1), this vulnerability i

Share

CVE-2026-48929 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy