Description
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Rocket.Chat files uploaded via the Livechat feature can be downloaded through the /file-upload/:fileId/:name endpoint. The authorization logic checks only the livechat room type and token but does not confirm that the requested file belongs to the same room, allowing a user to download any file by guessing its MongoDB _id. This results in a classic access control flaw (CWE-284) that exposes confidential data to unauthenticated parties.

Affected Systems

The flaw affects Rocket.Chat versions earlier than 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13. Administrators should verify the running version and ensure it meets or exceeds the minimum patched releases enumerated above.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity, yet the EPSS score of less than 1% suggests that exploitation is unlikely at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending HTTP GET requests to the exposed endpoint with sequential file IDs, allowing unauthenticated enumeration and download of all uploaded files. No additional privileges are required to discover these files, but legitimate livechat users could also gain unintended access to sensitive content.

Generated by OpenCVE AI on June 17, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to a patched version (≥8.5.1, ≥8.4.4, ≥8.3.6, ≥8.2.6, ≥8.1.6, ≥8.0.7, ≥7.13.9, or ≥7.10.13) to eliminate the flaw.
  • Apply server‑side controls to restrict access to the /file-upload/:fileId/:name endpoint, ensuring that the rid in the path matches the file’s room ID and that only authenticated users can retrieve files.
  • Conduct a scan of exposed file paths and review audit logs for unauthorized download attempts to detect and mitigate potential exploitation attempts.

Generated by OpenCVE AI on June 17, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthorized File Discovery in Rocket.Chat Livechat File Downloads
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Rocket.chat
Rocket.chat rocket.chat
Vendors & Products Rocket.chat
Rocket.chat rocket.chat

Tue, 16 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 9.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}


Subscriptions

Rocket.chat Rocket.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-17T15:01:42.246Z

Reserved: 2026-05-22T15:00:09.276Z

Link: CVE-2026-48616

cve-icon Vulnrichment

Updated: 2026-06-17T15:01:36.397Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:45:10Z

Weaknesses