Impact
Rocket.Chat files uploaded via the Livechat feature can be downloaded through the /file-upload/:fileId/:name endpoint. The authorization logic checks only the livechat room type and token but does not confirm that the requested file belongs to the same room, allowing a user to download any file by guessing its MongoDB _id. This results in a classic access control flaw (CWE-284) that exposes confidential data to unauthenticated parties.
Affected Systems
The flaw affects Rocket.Chat versions earlier than 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13. Administrators should verify the running version and ensure it meets or exceeds the minimum patched releases enumerated above.
Risk and Exploitability
The CVSS score of 9.3 indicates a high severity, yet the EPSS score of less than 1% suggests that exploitation is unlikely at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending HTTP GET requests to the exposed endpoint with sequential file IDs, allowing unauthenticated enumeration and download of all uploaded files. No additional privileges are required to discover these files, but legitimate livechat users could also gain unintended access to sensitive content.
OpenCVE Enrichment