Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Any authenticated user can trigger it over the network with low complexity (PR:L, AV:N, AC:L); rewriting storage metadata to access other data crosses a security boundary (S:C) yielding high confidentiality, low integrity, no availability impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
AnalysisAI
Insecure object property modification (mass assignment) in Rocket.Chat's file-upload completion flow allows a low-privileged authenticated user to overwrite arbitrary fields on their own upload record, including the storage backend (store) and store-specific path fields. The flaw stems from sendFileMessage passing the entire attacker-controlled file object into Uploads.updateFileComplete, which Object.assigns it into a MongoDB $set with no writable-field allow-list, enabling an attacker to repoint their upload metadata at arbitrary storage locations and disclose sensitive data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Rocket.Chat account with permission to upload files (CVSS PR:L) and the ability to invoke the sendFileMessage DDP method with a manipulated file object - i.e., the attacker must control the file metadata sent during upload completion, which standard clients allow via the DDP/WebSocket API. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, base 8.5) describes a network-reachable, low-complexity attack requiring only low privileges (any authenticated user can upload files) with no user interaction, a changed scope, and high confidentiality impact - consistent with the description of cross-record/storage repointing leading to information disclosure (matching the 'Information Disclosure' tag). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user with a valid Rocket.Chat account uploads a file and intercepts/crafts the sendFileMessage DDP call, injecting extra fields such as 'store' and the store-specific 'path' into the file object. Because updateFileComplete merges these directly into the Mongo $set, the attacker rewrites their upload record to point at a different storage location or backend, causing the platform to serve content the attacker should not be able to reference and disclosing sensitive data. … |
| Remediation | Upgrade to a patched release on your branch: Rocket.Chat 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11 (pick the fixed version matching your current major/minor line) per the vendor advisory at https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-fhc2-x8cp-c5ch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Enumerate all Rocket.Chat instances; document current versions; assess file-upload exposure to user base. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39092