CVE Catalog

CVE-2026-48616

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile — higher than 19% of all known CVEs

Summary

Rocket.Chat versions below 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 have an access control vulnerability in Livechat files. The authorization process for downloading protected files does not verify that rc_rid matches the requested file, allowing unauthenticated discovery of all uploaded files.

Risk Assessment

The organization may be exposed to unauthorized access to sensitive files, potentially leading to data leaks and violations of user privacy.

Recommendation

It is recommended to upgrade to the latest version of Rocket.Chat to mitigate this vulnerability and implement additional access control mechanisms for files.

Original NVD description (English source)

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS