CVE-2026-45687
HighCVSS 8.5Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
A vulnerability in Rocket.Chat before versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 allows an attacker to modify any field in their own upload record. This occurs because the sendFileMessage DDP method passes the entire file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign without an allow-list of writable fields.
Risk Assessment
An attacker can overwrite the store and store-specific path fields, potentially leading to unauthorized file access or data manipulation.
Recommendation
Immediately update Rocket.Chat to one of the patched versions: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11.
Original NVD description (English source)
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

