Home

Description

Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.

PUBLISHED Reserved 2026-05-26 | Published 2026-06-16 | Updated 2026-06-16 | Assigner hackerone




HIGH: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-287 Improper Authentication - Generic

Product status

Default status
unaffected

Any version before 8.5.1
affected

Any version before 8.4.4
affected

Any version before 8.3.6
affected

Any version before 8.2.6
affected

Any version before 8.1.6
affected

Any version before 8.0.7
affected

Any version before 7.13.9
affected

Any version before 7.10.13
affected

References

hackerone.com/reports/3611837

github.com/RocketChat/Rocket.Chat/pull/40889/

cve.org (CVE-2026-48929)

nvd.nist.gov (CVE-2026-48929)

Download JSON