Permission Check Flaw in Rocket.Chat
CVE-2026-29197

Currently unrated

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 23 April 2026

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2026-29197?

A vulnerability exists in Rocket.Chat where certain versions contain a typo in the permission check for the endpoints /api/apps/logs and /api/apps/:id/logs. This flaw allows authenticated users to access apps-engine logs without the necessary permissions, potentially exposing sensitive information and compromising the security integrity of user data.

Affected Version(s)

Rocket.Chat 8.4.0

Rocket.Chat 8.3.2

Rocket.Chat 8.2.2

References

https://hackerone.com/reports/3589551

https://github.com/RocketChat/Rocket.Chat/pull/40125

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29197 Data

JSON