CVE-2026-48929

HIGH 7.5

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.

CWE	CWE-287
Vendor	rocket.chat
Product	rocket.chat
Published	Jun 16, 2026

Stay Ahead of the Next One

Get instant alerts for rocket.chat rocket.chat

Be the first to know when new high vulnerabilities affecting rocket.chat rocket.chat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions

Rocket.Chat / Rocket.Chat

0 < 8.5.1 0 < 8.4.4 0 < 8.3.6 0 < 8.2.6 0 < 8.1.6 0 < 8.0.7 0 < 7.13.9 0 < 7.10.13

References

NVD ↗ CVE.org ↗ EPSS Data ↗

hackerone.com: https://hackerone.com/reports/3611837 github.com: https://github.com/RocketChat/Rocket.Chat/pull/40889/