Description
In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.
Published: 2026-04-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Apps-Engine Logs
Action: Patch Now
AI Analysis

Impact

The vulnerability is a typo in the permission check for the /api/apps/logs and /api/apps/:id/logs endpoints. Because the required permission is not correctly verified, any authenticated user can access application engine logs, even if they do not possess the appropriate privileges. This flaw allows an attacker who can authenticate to the system to read potentially sensitive administrative logs, exposing configuration data, user activity, or other internal information that should be protected. The weakness is categorized as Improper Access Control (CWE‑284).

Affected Systems

Rocket.Chat instances running any of the following versions are affected: all releases earlier than 8.4.0, 8.3.2, 8.2.2, 8.1.3, 8.0.4, 7.13.6, 7.12.7, 7.11.7, and 7.10.10. The issue applies to all environments where these versions are deployed.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk. The EPSS score is less than 1 %, implying a very low likelihood of exploitation under current conditions. The flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user, so the attack vector is internal or through social engineering that grants legitimate credentials. The impact is limited to information disclosure rather than code execution or denial of service.

Generated by OpenCVE AI on April 28, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Rocket.Chat 8.4.0 or later (or 8.3.2+, 8.2.2+, 8.1.3+, 8.0.4+, 7.13.6+, 7.12.7+, 7.11.7+, or 7.10.10+ as appropriate for your environment).
  • Reconfigure the log endpoints to enforce proper permission checks, ensuring that only users with the designated log‑read permission can access the /api/apps/logs and /api/apps/:id/logs routes.
  • Audit existing logs for any unauthorized access events and adjust user roles or permissions accordingly to prevent future accidental disclosures.

Generated by OpenCVE AI on April 28, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Title Information Disclosure via Improper Permission Check on Rocket.Chat Apps-Engine Log Endpoints

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Rocket.chat
Rocket.chat rocket.chat
Vendors & Products Rocket.chat
Rocket.chat rocket.chat

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.
Weaknesses CWE-284
References

Subscriptions

Rocket.chat Rocket.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-04-24T14:18:07.117Z

Reserved: 2026-03-04T15:00:09.266Z

Link: CVE-2026-29197

cve-icon Vulnrichment

Updated: 2026-04-24T14:17:50.488Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T00:16:27.647

Modified: 2026-04-28T19:34:33.383

Link: CVE-2026-29197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses