CVE-2026-45687
Deferred Deferred - Pending Action

Path Traversal in Rocket.Chat

Vulnerability report for CVE-2026-45687, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rocket.chat rocket.chat to 8.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to access unauthorized data exports, including entire message histories, private channels, direct messages, uploaded files, and profile metadata of victims. Such unauthorized access to personal and sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls on personal data confidentiality and integrity.

Because attackers can manipulate file paths to access other users' data exports without admin privileges, this flaw undermines data access controls and confidentiality requirements essential for compliance with these standards.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11.

Executive Summary

This vulnerability exists in Rocket.Chat versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. It involves the sendFileMessage DDP method, which passes the entire attacker-supplied file object into the Uploads.updateFileComplete function. This function merges the object directly into a MongoDB $set update using Object.assign without an allow-list of writable fields.

Because there is no restriction on which fields can be written, an attacker can rewrite any column on their own upload record, including critical fields like 'store' and the store-specific path fields. This allows the attacker to manipulate how files are stored or referenced within the system.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker with limited privileges to modify important fields related to file storage in Rocket.Chat. Specifically, they can alter the storage location and path of uploaded files.

The CVSS score of 8.5 indicates a high severity, with potential for high confidentiality impact and limited integrity impact, but no availability impact. This means sensitive data could be exposed or manipulated by an attacker, potentially leading to unauthorized access or data leakage.

Detection Guidance

This vulnerability involves an authenticated non-admin user exploiting the sendFileMessage method to manipulate file upload records in Rocket.Chat before certain patched versions.

To detect exploitation attempts on your system, you should monitor for unusual or unauthorized modifications to file upload records, especially changes to the 'store' and storage-specific path fields in MongoDB related to user uploads.

Since the exploit requires authenticated access, reviewing application logs for suspicious sendFileMessage DDP method calls with unusual payloads can help identify potential attacks.

Specific commands to detect this vulnerability are not provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45687. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart