CVE-2026-45687 - Vulnerability Details

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Published: 2026-06-24

Score: 8.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Rocket.Chat’s sendFileMessage DDP method, when used by an authenticated user, forwards the entire attacker‑supplied file object to Uploads.updateFileComplete. The method merges the object into a MongoDB $set update using Object.assign without an allow‑list of writable fields. Consequently, an attacker can modify any field on their own upload record, notably the store and store‑specific path columns. This mass‑assignment flaw enables redirecting file metadata and exposing private files, leading to data theft. The issue is fixed in versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7 and 7.10.11, and is classified as CWE‑915.

Affected Systems

Rocket.Chat versions earlier than 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 are affected.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. The EPSS score is not available, so an exact exploitation probability cannot be quantified. Based on the description, it is inferred that the attacker must be an authenticated user to supply the file object, as the sendFileMessage method is described as accepting an authenticated file object. An authenticated attacker can use the mass assignment to modify metadata on the uploaded file, potentially causing data theft. Because the vulnerability is not listed in CISA’s KEV catalog, the risk remains significant until the fix is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

RocketChat

Rocket.Chat

affected

Version	Status	Constraints
`>= 8.5.0-rc.0, < 8.5.0`	affected	—
`>= 8.4.0-rc.0, < 8.4.1`	affected	—
`>= 8.3.0-rc.0, < 8.3.3`	affected	—
`>= 8.2.0-rc.0, < 8.2.3`	affected	—
`>= 8.1.0-rc.0, < 8.1.4`	affected	—
`>= 8.0.0-rc.0, < 8.0.5`	affected	—
`>= 7.11.0-rc.0, < 7.13.7`	affected	—
`< 7.10.11`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Rocket.Chat release that includes the fix (e.g., 8.5.0 or the equivalent patched version for each series).
If an upgrade cannot be performed immediately, modify the sendFileMessage handler to explicitly whitelist allowed fields before invoking Uploads.updateFileComplete, rejecting any other properties sent by the client.
Restrict or revoke the permission that allows users to call sendFileMessage for upload manipulation, or add validation logic that prevents sensitive fields such as store and storeSpecificPath from being overwritten by an authenticated user.

Generated by OpenCVE AI on June 25, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-fhc2-x8cp-c5ch

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Title		Rocket.Chat: Authenticated Arbitrary Data Export Theft via Mass Assignment in sendFileMessage
Weaknesses		CWE-915
References		https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-fhc2-x8cp-c5ch
Metrics		cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T20:55:25.918Z

Updated: 2026-06-24T20:55:25.918Z

Reserved: 2026-05-13T04:38:01.164Z

Link: CVE-2026-45687

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses

CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object