CVE Catalog

CVE-2026-45687

HighCVSS 8.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

A vulnerability in Rocket.Chat before versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 allows an attacker to modify any field in their own upload record. This occurs because the sendFileMessage DDP method passes the entire file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign without an allow-list of writable fields.

Risk Assessment

An attacker can overwrite the store and store-specific path fields, potentially leading to unauthorized file access or data manipulation.

Recommendation

Immediately update Rocket.Chat to one of the patched versions: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11.

Original NVD description (English source)

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS