CVE-2026-48616
CriticalCVSS 9.3Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
Rocket.Chat versions below 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 have an access control vulnerability in Livechat files. The authorization process for downloading protected files does not verify that rc_rid matches the requested file, allowing unauthenticated discovery of all uploaded files.
Risk Assessment
The organization may be exposed to unauthorized access to sensitive files, potentially leading to data leaks and violations of user privacy.
Recommendation
It is recommended to upgrade to the latest version of Rocket.Chat to mitigate this vulnerability and implement additional access control mechanisms for files.
Original NVD description (English source)
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.

