PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48616 Rocket.Chat CVE debrief

A critical vulnerability (CVSS Score: 9.3) was discovered in Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13. The vulnerability allows unauthenticated attackers to access Livechat files due to improper authorization in the file download process. Specifically, the authorization path does not verify that the room ID (rc_rid) matches the requested file's room ID, and the file ID (fileId) is predictable via sequential MongoDB IDs. Additionally, the file name (name) can be arbitrary, enabling the discovery of all uploaded files.

Vendor
Rocket.Chat
Product
Unknown
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Administrators and users of Rocket.Chat, especially those using Livechat functionality, should be aware of this critical vulnerability. Immediate action is required to prevent unauthorized access to sensitive files.

Technical summary

The vulnerability exists in the file download endpoint /file-upload/:fileId/:name. The authorization mechanism uses rc_room_type=l with rc_rid and rc_token, but it fails to verify that rc_rid matches the room ID of the requested file. The fileId is sequentially generated by MongoDB, making it predictable. The name parameter can be any string, allowing attackers to discover and access files without authentication.

Defensive priority

Critical

Recommended defensive actions

  • Update Rocket.Chat to version 8.5.1 or later, 8.4.4 or later, 8.3.6 or later, 8.2.6 or later, 8.1.6 or later, 8.0.7 or later, 7.13.9 or later, or 7.10.13 or later.
  • Restrict access to the Livechat file download endpoint.
  • Implement additional authentication and authorization checks for file downloads.
  • Monitor for suspicious file access attempts.
  • Review and update access controls for Livechat files.
  • Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.

Evidence notes

The information provided is based on the CVE record and NVD details. The vulnerability was reported through HackerOne. The accuracy of this debrief relies on the information available from these sources.

Official resources

public