CVE-2026-48929
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk46th percentile — higher than 46% of all known CVEs
Summary
Rocket.Chat versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 are vulnerable to unauthenticated file deletion. The deleteFileMessage method allows for the permanent deletion of any uploaded file by ID without requiring authentication.
Risk Assessment
Organizations may lose important data as unauthorized users can delete files from the system. This poses a risk to data integrity and potential privacy breaches.
Recommendation
It is recommended to update Rocket.Chat to the latest version to mitigate this vulnerability. Additionally, implementing further access controls on file deletion methods is advisable.
Original NVD description (English source)
Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.

