CVE-2026-45687

HIGH 8.5

Rocket.Chat: Authenticated Arbitrary Data Export Theft via Mass Assignment in sendFileMessage

CVSS Score

8.5

EPSS Score

0.0%

EPSS Percentile

0th

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

CWE	CWE-915
Vendor	rocketchat
Product	rocket.chat
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for rocketchat rocket.chat

Be the first to know when new high vulnerabilities affecting rocketchat rocket.chat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

RocketChat / Rocket.Chat

>= 8.5.0-rc.0, < 8.5.0 >= 8.4.0-rc.0, < 8.4.1 >= 8.3.0-rc.0, < 8.3.3 >= 8.2.0-rc.0, < 8.2.3 >= 8.1.0-rc.0, < 8.1.4 >= 8.0.0-rc.0, < 8.0.5 >= 7.11.0-rc.0, < 7.13.7 < 7.10.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-fhc2-x8cp-c5ch