CVE-2026-48929 Rocket.Chat CVE debrief

Who should care

Administrators and users of Rocket.Chat instances, particularly those using versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13, should be aware of this vulnerability and take immediate action to mitigate it.

Technical summary

The deleteFileMessage Meteor method in Rocket.Chat permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.

Defensive priority

high

Recommended defensive actions

• Update Rocket.Chat to version 8.5.1 or later
• Restrict access to the deleteFileMessage Meteor method
• Implement authentication and authorization checks for file deletion
• Monitor for suspicious file deletion activity
• Use a Web Application Firewall (WAF) to block malicious traffic
• Regularly review and update Rocket.Chat instances to ensure they are running with the latest security patches

Evidence notes

The information provided is based on the CVE-2026-48929 record and the source item from the NVD. The vulnerability was reported by [email protected] and is referenced in the HackerOne report 3611837.

Official resources