CVE-2026-48616
Received Received - Intake
Unauthenticated File Access in Rocket.Chat

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: HackerOne

Description
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-48616
EUVD
EUVD-2026-37514
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
rocket.chat rocket.chat to 8.5.1 (exc)
rocket.chat rocket.chat 8.4.4
rocket.chat rocket.chat 8.3.6
rocket.chat rocket.chat 8.2.6
rocket.chat rocket.chat 8.1.6
rocket.chat rocket.chat 8.0.7
rocket.chat rocket.chat 7.13.9
rocket.chat rocket.chat 7.10.13
rocket.chat rocket.chat 8.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Rocket.Chat versions prior to 8.5.1 and some specific earlier versions. It is an access control flaw in the Livechat file download functionality. The system authorizes access to protected files using parameters rc_room_type=l with rc_rid and rc_token, but it does not verify that the rc_rid parameter matches the requested file's room ID (rid).

Additionally, the file identifier (:fileId) is predictable because it uses sequential MongoDB IDs, and the file name (:name) can be arbitrary. This combination allows an unauthenticated attacker to discover and access all uploaded files without proper authorization.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive or private files uploaded via the Livechat feature in Rocket.Chat. Because the file IDs are predictable and authorization checks are insufficient, attackers can enumerate and download files they should not have access to.

The impact includes potential exposure of confidential information, privacy breaches, and data leakage. The CVSS score of 9.3 indicates a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact.

Mitigation Strategies

To mitigate this vulnerability, you should update Rocket.Chat to a patched version where the security issue has been fixed.

The security fix was included in a pull request merged on June 11, 2026, which was backported to versions 8.6.0, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13. Applying these updates will address the access control vulnerability in Livechat file downloads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48616. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart