CVE-2026-48616
Analyzed Analyzed - Analysis Complete

Unauthenticated File Access in Rocket.Chat

Vulnerability report for CVE-2026-48616, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-18

Assigner: HackerOne

Description

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-18
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
rocket.chat rocket.chat to 7.10.13 (exc)
rocket.chat rocket.chat From 7.13.0 (inc) to 7.13.9 (exc)
rocket.chat rocket.chat From 8.0.0 (inc) to 8.0.7 (exc)
rocket.chat rocket.chat From 8.1.0 (inc) to 8.1.6 (exc)
rocket.chat rocket.chat From 8.2.0 (inc) to 8.2.6 (exc)
rocket.chat rocket.chat From 8.3.0 (inc) to 8.3.6 (exc)
rocket.chat rocket.chat From 8.4.0 (inc) to 8.4.4 (exc)
rocket.chat rocket.chat From 8.5.0 (inc) to 8.5.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Rocket.Chat allows unauthenticated discovery and access to uploaded files due to improper authorization checks and predictable file IDs. This exposure of potentially sensitive files could lead to unauthorized data access.

Such unauthorized access to files may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data access and confidentiality.

However, the provided information does not explicitly state the direct impact on compliance or mention specific regulatory consequences.

Executive Summary

The vulnerability exists in Rocket.Chat versions prior to 8.5.1 and some specific earlier versions. It is an access control flaw in the Livechat file download functionality. The system authorizes access to protected files using parameters rc_room_type=l with rc_rid and rc_token, but it does not verify that the rc_rid parameter matches the requested file's room ID (rid).

Additionally, the file identifier (:fileId) is predictable because it uses sequential MongoDB IDs, and the file name (:name) can be arbitrary. This combination allows an unauthenticated attacker to discover and access all uploaded files without proper authorization.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive or private files uploaded via the Livechat feature in Rocket.Chat. Because the file IDs are predictable and authorization checks are insufficient, attackers can enumerate and download files they should not have access to.

The impact includes potential exposure of confidential information, privacy breaches, and data leakage. The CVSS score of 9.3 indicates a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact.

Mitigation Strategies

To mitigate this vulnerability, you should update Rocket.Chat to a patched version where the security issue has been fixed.

The security fix was included in a pull request merged on June 11, 2026, which was backported to versions 8.6.0, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13. Applying these updates will address the access control vulnerability in Livechat file downloads.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48616. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart