Description
Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malicious actor can permanently delete any uploaded file by ID from a Rocket.Chat instance if the deleteFileMessage Meteor method is accessed through an unauthenticated DDP WebSocket. The method performs no authentication check when Meteor.userId() returns null, allowing the deletion routine to execute unconditionally. This flaw results in data loss rather than exposure, but the loss of critical or sensitive files can disrupt operations and destroy audit trails. The weakness is rooted in improper authentication, classified as CWE-287.

Affected Systems

Rocket.Chat, specifically all releases prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9 and 7.10.13. Any instance running these versions is vulnerable to the unauthenticated deletion path.

Risk and Exploitability

The CVSS v3.1 score of 7.5 indicates a high severity, yet the EPSS score falls below 1%, suggesting a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the deletion by issuing a deleteFileMessage command over a public DDP WebSocket connection; file identifiers are exposed in public message payloads and download URLs, making them discoverable by non‑authenticated users. Once the command is sent, the file is permanently removed from both storage and the database without any further checks.

Generated by OpenCVE AI on June 17, 2026 at 18:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Rocket.Chat 8.5.1 or later (or 8.4.4/8.3.6/8.2.6/8.1.6/8.0.7/7.13.9/7.10.13 depending on your current version) to apply the vendor fix for the deleteFileMessage method.
  • Re‑configure your DDP WebSocket endpoints to require authentication before allowing any method calls, ensuring that Meteor.userId() cannot be null for untrusted connections.
  • As a temporary measure, if an upgrade is not possible, block unauthenticated WebSocket traffic at the network layer or through reverse proxy settings to prevent the deleteFileMessage call from being reached.

Generated by OpenCVE AI on June 17, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated File Deletion in Rocket.Chat via deleteFileMessage

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Rocket.chat
Rocket.chat rocket.chat
Vendors & Products Rocket.chat
Rocket.chat rocket.chat

Tue, 16 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.
Weaknesses CWE-287
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Rocket.chat Rocket.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-17T15:02:44.803Z

Reserved: 2026-05-26T15:00:06.427Z

Link: CVE-2026-48929

cve-icon Vulnrichment

Updated: 2026-06-17T15:02:41.240Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:45:10Z

Weaknesses