Rocketchat Rocket Chat

Rocket.Chat Auth Bypass via /api/v1/fingerprint (8.5.1)
CVE-2026-55762 8.1 - High - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any authenticated user including a standard user role account can call this endpoint with {"setDeploymentAs": "new-workspace"} to permanently deregister the workspace from Rocket.Chat Cloud. This wipes all cloud credentials, removes the workspace license, breaks push notifications for all users, and requires manual re-registration to recover. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

AuthZ

Apple Sign-In JWT Claims Bypass in Rocket.Chat <8.5.1 (Replays Allowed)
CVE-2026-55759 7.4 - High - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted regardless of aud, exp, nbf, or nonce. An attacker who obtains a target user's Apple identity token (from server logs, an intercepted sign-in flow, or another application sharing the same Apple developer team) can replay it to authenticate as that user, with no expiration on the replay window. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

authentification

CVE-2026-55666 Rocket.Chat <8.5.1 Apple OAuth JWT email bypass in loginHandler
CVE-2026-55666 - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try block checks for an email parameter. If the JWT does not contain an email address, the application falls back to accepting an arbitrary email value supplied directly in the request. Attackers are able to forge Apple JWTs that do not contain an email address and leverage this vulnerability to carry out account takeover attacks. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.

authentification

Rocket.Chat visitor.info token leakage (before 8.5.0)
CVE-2026-49278 6.7 - Medium - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

AuthZ

OAuth Tokens Not Revoked on User Deactivation in Rocket.Chat <8.5
CVE-2026-49277 - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth access token, and can also mint a fresh access token from an existing refresh token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

Insufficient Session Expiration

Rocket.Chat 8.5.0 Idle Deactivation Token Reuse
CVE-2026-45757 - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has marked inactive for idleness can still access authenticated REST endpoints with the old token. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

Insufficient Session Expiration

Rocket.Chat SAML Auth Bypass (Signature Validation Skipped) <8.5.0
CVE-2026-46423 - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implementation silently skips both SAML Response and Assertion signature validation when the configured IdP certificate field is empty. The verifySignatures routine performs an early return when serviceProviderOptions.cert is falsy, which is the default state of the setting. Because provider registration only gates on the SAML "enabled" toggle and not on the presence of a certificate, an administrator who enables SAML without pasting an IdP certificate obtains a fully wired, publicly reachable SAML login endpoint that accepts unsigned or attacker-supplied assertions. This is a default-configuration authentication-bypass class: the fail-open branch is reached with no misconfiguration beyond leaving a field at its shipped default. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Improper Verification of Cryptographic Signature

Unauthenticated OAuth token hijack via MongoDB injection in Rocket.Chat <8.5.0
CVE-2026-45689 9.1 - Critical - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with MongoDB query operators to /oauth/token. The Rocket.Chat OAuth2 server does not validate that grant parameters are strings before forwarding them to findOne({...}) against the oauth_apps and oauth_access_tokens collections, so an attacker substitutes {"$ne": null} for client_id, client_secret, and refresh_token and receives a freshly minted {access_token, refresh_token} pair bound to whichever user's refresh token Mongo returned first. The resulting access token is a first-class bearer credential against the full /api/v1/* surface as that user. By iterating with $nin / $regex operators the attacker walks the entire oauth_access_tokens collection, collecting one fresh access token per user per request. If any matched token belongs to an admin, the stolen bearer gives full admin API access (including Apps-Engine app installation, i.e. server-side code execution). No account, credentials, userId, or prior interaction with the instance are required. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Improper Neutralization of Special Elements in Data Query Logic

NoSQLi via CAS login, Auth token theft in Rocket.Chat prior to 8.5.0
CVE-2026-45688 9.1 - Critical - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOne({_id: ...}) query without any runtime type check. TypeScript's string parameter annotation is erased at runtime, so an unauthenticated attacker can substitute a MongoDB query operator ({"$gt": ""}, {"$ne": null}, etc.) for what the server expects to be an opaque ticket string. The injected operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket check entirely. When any legitimate CAS or SAML SSO login is in flight, the attacker's next DDP login call matches the same credential-token row via the NoSQL operator and is issued a full Meteor auth token (userId + token) bound to the victim. The token is immediately usable against the complete REST and DDP surface as that user. If the victim is an administrator, this escalates to full instance compromise via Apps-Engine app install. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Improper Neutralization of Special Elements in Data Query Logic

Rocket.Chat 8.x MongoDB Write Bypass in sendFileMessage DDP (v8.5.0+)
CVE-2026-45687 8.5 - High - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Mass Assignment

Rocket.Chat SAML LogoutRequest Signature Bypass (8.5.0)
CVE-2026-45677 - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML integration does not verify the signature on inbound LogoutRequest messages. An unauthenticated remote attacker who knows a target user's SAML NameID - which major identity providers (Okta, Google Workspace, Microsoft Entra ID, JumpCloud) expose as the user's email address - can craft a valid-looking unsigned LogoutRequest and submit it to the SP logout endpoint. The server processes it as legitimate, immediately destroying the victim's session. Because the attack requires no authentication and no interaction from the victim, it can be repeated in a loop against individual users or scripted across many accounts, effectively rendering the Rocket.Chat instance unusable for SAML-authenticated users. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

AuthZ

Rocket.Chat <=8.4.0 XSS via ImageElement unsanitized URL
CVE-2026-47733 4.4 - Medium - June 24, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a href> and <img src> attributes without protocol sanitization. Unlike the analogous LinkSpan component which uses sanitizeUrl to block javascript:, data:, and vbscript: protocols ImageElement passes the raw URL through unchanged. An authenticated user can post a markdown image with a javascript: URL that, if clicked on an older browser, would execute arbitrary JavaScript in the viewer's session. This vulnerability is fixed in 8.5.0.

XSS

Rocket.Chat <8.5.1 unauthenticated File Deletion via deleteFileMessage
CVE-2026-48929 - June 16, 2026

Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.

authentification

Rocket.Chat <=8.5.1 Access Control flaw in Livechat file downloads
CVE-2026-48616 - June 16, 2026

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.

Authorization

Unauthorized message read via Rocket.Chat <8.5.0 translateMessage()
CVE-2026-32995 - May 28, 2026

The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room membership. Any authenticated DDP user can read the content of any message by ID from any room (private channels, DMs, E2EE rooms) by calling this method.

Authorization

Unauthorized Msg Retrieval via Autotranslate Endpt in Rocket.Chat <8.5
CVE-2026-32994 - May 19, 2026

The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content.

Authorization

Authenticated Log Access via Permission Check Typos in Apps-Engine API (prev8.4.0)
CVE-2026-29197 4.3 - Medium - April 23, 2026

In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.

Authorization

Rocket.Chat <8.3 NoSQL Injection allows OAuth token takeover
CVE-2026-29198 9.8 - Critical - April 22, 2026

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

SQL Injection

Open Redirect in Rocket.Chat SAML before 8.4.0
CVE-2026-22560 5.3 - Medium - April 10, 2026

An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint.

Open Redirect

Rocket.Chat NoSQL Injection via DDP-Streamer (pre 7.10.8, 7.11.5, 7.12.5)
CVE-2026-30833 - March 06, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Improper Neutralization of Special Elements in Data Query Logic

Rocket.Chat DDP Streamer Auth Bypass: 2FA Not Enforced (v<7.10.8/7.11.5)
CVE-2026-30831 - March 06, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

authentification

Auth Bypass in Rocket.Chat Fixed in 7.8.6/7.9.8/7.10.7
CVE-2026-28514 - March 06, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.

authentification

Auth Bypass: GET /api/v1/oauth-apps.get Exposes OAuth App in Rocket.Chat
CVE-2026-23477 7.7 - High - January 14, 2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0.

Improper Privilege Management

RocketChat <=7.6.1 Regex DoS in parseMessage.js
CVE-2025-5892 7.5 - High - June 09, 2025

A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function parseMessage of the file /apps/meteor/app/irc/server/servers/RFC2813/parseMessage.js. The manipulation of the argument line leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

ReDoS

DoS in Rocket.Chat <=6.12 via Malformed Message Parsing
CVE-2024-46935 7.5 - High - September 25, 2024

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with specific characters may crash the workspace due to an issue in the message parser.

Stored XSS in Rocket.Chat Marketplace & App Descriptions (v6.12.0)
CVE-2024-47048 5.4 - Medium - September 25, 2024

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps.

XSS

Rocket.Chat 6.12.0/6.11.2 DOM XSS via UpdateOTRAck
CVE-2024-46934 6.1 - Medium - September 25, 2024

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.

XSS

Message Forgery via UpdateOTRAck in Rocket.Chat 6.12.0-6.7.8 & earlier
CVE-2024-46936 - September 25, 2024

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and before is vulnerable to a message forgery / impersonation issue. Attackers can abuse the UpdateOTRAck method to send ephemeral messages as if they were any other user they choose.

Rocket.Chat Electron App 6.3.4 Stored XSS via PDF links (CVE-2024-45621)
CVE-2024-45621 5.4 - Medium - September 02, 2024

The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents.

XSS

SSRF in Rocket.Chat Twilio webhook before 6.10.1
CVE-2024-39713 8.6 - High - August 05, 2024

A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.

SSRF

Rocket.Chat <6.0 Improper Auth: Rid Parameter Manipulation in updateMessage
CVE-2023-28325 6.5 - Medium - May 11, 2023

An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room.

authentification

ChatGPT Hot Loop DoS via Crafted Message Chain
CVE-2023-28356 7.5 - High - May 11, 2023

A vulnerability has been identified where a maliciously crafted message containing a specific chain of characters can cause the chat to enter a hot loop on one of the processes, consuming ~120% CPU and rendering the service unresponsive.

Resource Exhaustion

Rocket.Chat ACL Check After Membership Causes Privileged Username Enumeration
CVE-2023-28357 4.3 - Medium - May 11, 2023

A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to.

Information Disclosure

Rocket.Chat markdown parsing flaw in Search Messages allows tag injection
CVE-2023-28358 6.1 - Medium - May 11, 2023

A vulnerability has been discovered in Rocket.Chat where a markdown parsing issue in the "Search Messages" feature allows the insertion of malicious tags. This can be exploited on servers with content security policy disabled possible leading to some issues attacks like account takeover.

XSS

NoSQL Injection in Rocket.Chat listEmojiCustom Method (CVE-2023-28359)
CVE-2023-28359 5.3 - Medium - May 11, 2023

A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat. This can be exploited by unauthenticated users when there is at least one custom emoji uploaded to the Rocket.Chat instance. The vulnerability causes a delay in the server response, with the potential for limited impact.

SQL Injection

Rocket.Chat 2FA: Session Leak Persists After Enabling 2FA
CVE-2023-28316 9.8 - Critical - May 09, 2023

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. This could potentially allow an attacker to maintain access to a compromised account even after 2FA is enabled.

Session Fixation

Rocket.Chat Message Deletion Bypass via Hidden Messages
CVE-2023-28318 5.3 - Medium - May 09, 2023

A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. This allows users to bypass the intended message deletion behavior, hiding messages and deletion notices.

Timestamp tampering in Rocket.Chat causes message reorder
CVE-2023-28317 5.3 - Medium - May 09, 2023

A vulnerability has been discovered in Rocket.Chat, where editing messages can change the original timestamp, causing the UI to display messages in an incorrect order.

Improper Access Control in Chat App Breaks E2E Encryption via Group Key Modification (CVE-2023-23911
CVE-2023-23911 7.5 - High - March 10, 2023

An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room.

Inadequate Encryption Strength

Prototype Pollution in Rocket.Chat <5.2.0 Enabling RCE via Admin Privileges
CVE-2023-23917 8.8 - High - February 23, 2023

A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. Any user can create their own server in your cloud and become an admin so this vulnerability could affect the cloud infrastructure. This attack vector also may increase the impact of XSS to RCE which is dangerous for self-hosted users as well.

Prototype Pollution

Cmd Injection in Rocket.Chat-Desktop <3.8.14 via openInternalVideoChatWindow
CVE-2022-44567 9.8 - Critical - December 23, 2022

A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). To exploit the vulnerability, the internal video chat window must be disabled or a Mac App Store build must be used (internalVideoChatWindow.ts#L14). The vulnerability may be exploited by an XSS attack because the function openInternalVideoChatWindow is exposed in the Rocket.Chat-Desktop-API.

Shell injection

Rocket.Chat NoSQL-Inject URL Disclosure via getS3FileUrl <5.0, <4.8.2, <4.7.5
CVE-2022-35246 4.3 - Medium - September 23, 2022

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.

Rocket.Chat XSS via Style Injection in Chat Messages
CVE-2022-35251 5.4 - Medium - September 23, 2022

A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. Hence the payloads are stored in messages, it is a persistent attack vector, which will trigger as soon as the message gets viewed.

XSS

info disclosure via getUserMentionsByChannel method in Rocket.Chat <5
CVE-2022-35249 4.3 - Medium - September 23, 2022

A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.

AuthZ

Rocket.Chat <5 2FA Bypass via CAS Auth
CVE-2022-35248 8.8 - High - September 23, 2022

A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can be bypassed when telling the server to use CAS during login.

authentification

Info Disclosure in Rocket.Chat v5-<4.8.2 via getRoomRoles ACL
CVE-2022-35247 4.3 - Medium - September 23, 2022

A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients.

AuthZ

Rocket.Chat <=v5: Improper Access via getUsersOfRoom
CVE-2022-32226 4.3 - Medium - September 23, 2022

An improper access control vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to input data in the getUsersOfRoom Meteor server method is not type validated, so that MongoDB query operator objects are accepted by the server, so that instead of a matching rid String a$regex query can be executed, bypassing the room access permission check for every but the first matching room.

Improper Input Validation

Rocket.Chat <4.6.4 Cleartext Oauth Tokens Leak in Logs
CVE-2022-32217 5.3 - Medium - September 23, 2022

A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.chat logs.

Insertion of Sensitive Information into Log File

Rocket.Chat Mobile App <4.14.1.22788 Improper Auth Bypass (PIN)
CVE-2022-30124 6.8 - Medium - September 23, 2022

An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with physical access to a mobile device to bypass local authentication (PIN code).

authentification

Privilege Escalation in Rocket.Chat <5: Auth Users View Direct Messages
CVE-2022-35250 4.3 - Medium - September 23, 2022

A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated user to view Direct messages without appropriate permissions.

Incorrect Permission Assignment for Critical Resource