CVE Catalog

CVE-2026-48929

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.64%

46th percentile — higher than 46% of all known CVEs

Summary

Rocket.Chat versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 are vulnerable to unauthenticated file deletion. The deleteFileMessage method allows for the permanent deletion of any uploaded file by ID without requiring authentication.

Risk Assessment

Organizations may lose important data as unauthorized users can delete files from the system. This poses a risk to data integrity and potential privacy breaches.

Recommendation

It is recommended to update Rocket.Chat to the latest version to mitigate this vulnerability. Additionally, implementing further access controls on file deletion methods is advisable.

Original NVD description (English source)

Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS