Access Control Flaw in Rocket.Chat Affecting File Downloads
CVE-2026-48616

9.3CRITICAL

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 16 June 2026

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2026-48616?

Rocket.Chat, a popular messaging platform, has revealed an access control vulnerability in its Livechat feature across several versions. This issue allows an unauthorized user to potentially access protected files through predictable URL patterns. The flaw permits the exploitation of the authorization process that inadequately verifies whether the requested file's record ID aligns with its intended access control. Additionally, the predictable sequence of file IDs and the freedom in naming files mean that all uploaded files can be discovered without authentication. Consequently, sensitive information could be exposed to unauthorized individuals.

Affected Version(s)

Rocket.Chat 0 < 8.5.1

Rocket.Chat 0 < 8.4.4

Rocket.Chat 0 < 8.3.6

References

https://hackerone.com/reports/3687142

https://github.com/RocketChat/Rocket.Chat/pull/40889

CVSS V3.0

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-48616 Data

JSON