Home

Description

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.

PUBLISHED Reserved 2026-05-22 | Published 2026-06-16 | Updated 2026-06-16 | Assigner hackerone




CRITICAL: 9.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Problem types

CWE-284 Improper Access Control - Generic

Product status

Default status
unaffected

Any version before 8.5.1
affected

Any version before 8.4.4
affected

Any version before 8.3.6
affected

Any version before 8.2.6
affected

Any version before 8.1.6
affected

Any version before 8.0.7
affected

Any version before 7.13.9
affected

Any version before 7.10.13
affected

References

hackerone.com/reports/3687142

github.com/RocketChat/Rocket.Chat/pull/40889

cve.org (CVE-2026-48616)

nvd.nist.gov (CVE-2026-48616)

Download JSON