PatchSiren

Rocket.Chat CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Rocket.Chat CVE published 2026-06-17

CVE-2026-48929

CVE-2026-48929 is a high-severity vulnerability in Rocket.Chat that allows unauthenticated file deletion. The vulnerability exists in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13. An attacker can exploit this vulnerability by calling the deleteFileMessage Meteor method via an unauthenticated DDP WebSocket connection, which permanently deletes any uploaded file by ID witho [truncated]

CRITICAL Rocket.Chat CVE published 2026-06-17

CVE-2026-48616

A critical vulnerability (CVSS Score: 9.3) was discovered in Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13. The vulnerability allows unauthenticated attackers to access Livechat files due to improper authorization in the file download process. Specifically, the authorization path does not verify that the room ID (rc_rid) matches the requested file's room ID, a [truncated]

HIGH Rocket.Chat CVE published 2026-05-28

CVE-2026-32995

## Summary Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12 contain an insecure direct object reference (IDOR) vulnerability in the DDP method `autoTranslate.translateMessage`. The method accepts a client-supplied `IMessage` object and passes it directly to `translateMessage()` without validating `Meteor.userId()` or verifying room membership. This allows any aut [truncated]

MEDIUM Rocket.Chat CVE published 2026-05-19

CVE-2026-32994

A missing authorization check in the auto-translation API endpoint allows authenticated users to retrieve message content from any room without access verification. The endpoint fetches messages by ID without validating room membership, exposing private communications.