CVE-2026-45687
Received Received - Intake
Path Traversal in Rocket.Chat

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-45687
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocket.chat rocket.chat to 8.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11.

Executive Summary

This vulnerability exists in Rocket.Chat versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. It involves the sendFileMessage DDP method, which passes the entire attacker-supplied file object into the Uploads.updateFileComplete function. This function merges the object directly into a MongoDB $set update using Object.assign without an allow-list of writable fields.

Because there is no restriction on which fields can be written, an attacker can rewrite any column on their own upload record, including critical fields like 'store' and the store-specific path fields. This allows the attacker to manipulate how files are stored or referenced within the system.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker with limited privileges to modify important fields related to file storage in Rocket.Chat. Specifically, they can alter the storage location and path of uploaded files.

The CVSS score of 8.5 indicates a high severity, with potential for high confidentiality impact and limited integrity impact, but no availability impact. This means sensitive data could be exposed or manipulated by an attacker, potentially leading to unauthorized access or data leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45687. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart