Rocketchat Rocket.Chat vulnerabilities
18 known vulnerabilities affecting rocketchat/rocket.chat.
Total CVEs
18
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH4MEDIUM6LOW2
Vulnerabilities
Page 1 of 1
CVE-2026-28514P2CRITICALCVSS 9.8fixed in 7.8.6fixed in 7.9.8+5 more2026-03-06
CVE-2026-28514 [CRITICAL] CWE-287 CVE-2026-28514: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with
nvd
CVE-2026-45689P2CRITICALCVSS 9.1v>= 8.5.0-rc.0, < 8.5.0v>= 8.4.0-rc.0, < 8.4.1+6 more2026-06-24
CVE-2026-45689 [CRITICAL] CWE-943 CVE-2026-45689: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with MongoDB query operators to /oauth/token. The Rocket.Ch
nvd
CVE-2026-30831P2CRITICALCVSS 9.8fixed in 7.10.8fixed in 7.11.5+5 more2026-03-06
CVE-2026-30831 [CRITICAL] CWE-287 CVE-2026-30831: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2F
nvd
CVE-2026-46423P3CRITICALCVSS 9.3v>= 8.5.0-rc.0, < 8.5.0v>= 8.4.0-rc.0, < 8.4.1+6 more2026-06-24
CVE-2026-46423 [CRITICAL] CWE-347 CVE-2026-46423: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implementation silently skips both SAML Response and Assertion signature validation when the configured IdP certificate field is empty. The verifySignatures r
nvd
CVE-2026-45688P3CRITICALCVSS 9.1v>= 8.5.0-rc.0, < 8.5.0v>= 8.4.0-rc.0, < 8.4.1+6 more2026-06-24
CVE-2026-45688 [CRITICAL] CWE-943 CVE-2026-45688: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's stri
nvd
CVE-2026-55666P3CRITICALCVSS 9.3v>= 8.5.0-rc.0, < 8.5.1v>= 8.4.0-rc.0, < 8.4.4+5 more2026-06-24
CVE-2026-55666 [CRITICAL] CWE-287 CVE-2026-55666: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try block checks for an email parameter. If the JWT does not contain an email
nvd
CVE-2026-45677P3HIGHCVSS 8.7v>= 8.5.0-rc.0, < 8.5.0v>= 8.4.0-rc.0, < 8.4.1+6 more2026-06-24
CVE-2026-45677 [HIGH] CWE-862 CVE-2026-45677: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML integration does not verify the signature on inbound LogoutRequest messages. An unauthenticated remote attacker who knows a target user's SAML NameID - which major identity provid
nvd
CVE-2026-55762P3HIGHCVSS 8.1v>= 8.5.0-rc.0, < 8.5.1v>= 8.4.0-rc.0, < 8.4.4+5 more2026-06-24
CVE-2026-55762 [HIGH] CWE-862 CVE-2026-55762: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any authenticated user — including a standard user role account — can call this e
nvd
CVE-2026-45687P3HIGHCVSS 8.5v>= 8.5.0-rc.0, < 8.5.0v>= 8.4.0-rc.0, < 8.4.1+6 more2026-06-24
CVE-2026-45687 [HIGH] CWE-915 CVE-2026-45687: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There
nvd
CVE-2026-55759P3HIGHCVSS 7.4v>= 8.5.0-rc.0, < 8.5.1v>= 8.4.0-rc.0, < 8.4.4+5 more2026-06-24
CVE-2026-55759 [HIGH] CWE-287 CVE-2026-55759: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted regardless of aud, exp, nbf, or nonce. An attacker who obtains
nvd
CVE-2026-49278P3MEDIUMCVSS 6.7v>= 8.5.0-rc.0, < 8.5.0v>= 8.4.0-rc.0, < 8.4.2+6 more2026-06-24
CVE-2026-49278 [MEDIUM] CWE-285 CVE-2026-49278: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be prese
nvd
CVE-2026-23477P3MEDIUMCVSS 6.5fixed in 6.12.02026-01-14
CVE-2026-23477 [MEDIUM] CWE-269 CVE-2026-23477: Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat ve
Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensiti
nvd
CVE-2026-30833P3MEDIUMCVSS 5.3fixed in 7.10.8fixed in 7.11.5+5 more2026-03-06
CVE-2026-30833 [MEDIUM] CWE-943 CVE-2026-30833: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authent
nvd
CVE-2021-32832P4MEDIUMCVSS 6.5fixed in 3.11.32021-08-30
CVE-2021-32832 [MEDIUM] CWE-400 CVE-2021-32832: Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. In
Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. In Rocket.Chat before versions 3.11.3, 3.12.2, and 3.13 an issue with certain regular expressions could lead potentially to Denial of Service. This was fixed in versions 3.11.3, 3.12.2, and 3.13.
nvd
CVE-2026-47733P4MEDIUMCVSS 4.4fixed in 8.5.02026-06-24
CVE-2026-47733 [MEDIUM] CWE-79 CVE-2026-47733: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, t
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into and attributes without protocol sanitization. Unlike the analogous LinkSpan component — which uses sanitizeUrl to block javascript:, data:, and vbscript: p
nvd
CVE-2017-1000054P4MEDIUMCVSS 6.1v0.8.0v0.9.0+66 more2017-07-17
CVE-2017-1000054 [MEDIUM] CWE-79 CVE-2017-1000054: Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messa
Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages.
nvd
CVE-2026-49277P4LOWCVSS 2.3v>= 8.5.0-rc.0, < 8.5.0v>= 8.4.0-rc.0, < 8.4.2+6 more2026-06-24
CVE-2026-49277 [LOW] CWE-613 CVE-2026-49277: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth access token, and can also mint a fresh access token fro
nvd
CVE-2026-45757P4LOWCVSS 2.3v>= 8.5.0-rc.0, < 8.5.0v>= 8.4.0-rc.0, < 8.4.2+6 more2026-06-24
CVE-2026-45757 [LOW] CWE-613 CVE-2026-45757: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticat
nvd