RocketChat
Products
2- Rocket.chat74 CVEsnpm
- 1 CVE
Recent CVEs
75| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-29151 | Cri | 0.59 | 9.1 | 0.00 | Mar 18, 2024 | Rocket.Chat.Audit through 5ad78e8 depends on filecachetools, which does not exist in PyPI. | ||
| CVE-2026-29198 | Cri | 0.57 | 9.8 | 0.00 | Apr 23, 2026 | In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured. | ||
| CVE-2024-46936 | Hig | 0.49 | 7.5 | 0.00 | Sep 25, 2024 | Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and before is vulnerable to a message forgery / impersonation issue. Attackers can abuse the UpdateOTRAck method to send ephemeral messages as if they were any other user they choose. | ||
| CVE-2024-42027 | Med | 0.44 | 6.7 | 0.01 | Oct 7, 2024 | The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources. | ||
| CVE-2026-32995 | Hig | 0.42 | 7.5 | 0.00 | May 28, 2026 | The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room… | ||
| CVE-2017-1000054 | Med | 0.40 | 6.1 | 0.01 | Jul 17, 2017 | Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages. | ||
| CVE-2024-8270 | Med | 0.36 | 5.5 | 0.00 | Jun 11, 2025 | The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, camera, automation, network client).… | ||
| CVE-2018-13879 | Med | 0.35 | 5.4 | 0.01 | Jul 11, 2018 | A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next step will ask for a username. This field will not save HTML control characters but an error will be displayed that shows the attempted username… | ||
| CVE-2026-32994 | Med | 0.34 | 5.3 | 0.00 | May 19, 2026 | The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply… | ||
| CVE-2025-5892 | Med | 0.28 | 4.3 | 0.01 | Jun 9, 2025 | A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function parseMessage of the file /apps/meteor/app/irc/server/servers/RFC2813/parseMessage.js. The manipulation of the argument line leads to inefficient… | ||
| CVE-2026-22560 | Med | 0.27 | 5.3 | 0.00 | Apr 10, 2026 | An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint. | ||
| CVE-2026-29197 | Med | 0.21 | 4.3 | 0.00 | Apr 24, 2026 | In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs. | ||
| CVE-2021-22911 | 0.10 | — | 0.95 | May 27, 2021 | A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE. | |||
| CVE-2020-28208 | 0.04 | — | 0.11 | Jan 8, 2021 | An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1. | |||
| CVE-2026-55762 | 0.00 | — | 0.00 | Jun 24, 2026 | Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any… | |||
| CVE-2026-55759 | 0.00 | — | 0.00 | Jun 24, 2026 | Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss… | |||
| CVE-2026-55666 | 0.00 | — | 0.00 | Jun 24, 2026 | Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try… | |||
| CVE-2026-49278 | 0.00 | — | 0.00 | Jun 24, 2026 | Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in… | |||
| CVE-2026-49277 | 0.00 | — | 0.00 | Jun 24, 2026 | Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using… | |||
| CVE-2026-45757 | 0.00 | — | 0.00 | Jun 24, 2026 | Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an… |
- risk 0.59cvss 9.1epss 0.00
Rocket.Chat.Audit through 5ad78e8 depends on filecachetools, which does not exist in PyPI.
- risk 0.57cvss 9.8epss 0.00
In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.
- risk 0.49cvss 7.5epss 0.00
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and before is vulnerable to a message forgery / impersonation issue. Attackers can abuse the UpdateOTRAck method to send ephemeral messages as if they were any other user they choose.
- risk 0.44cvss 6.7epss 0.01
The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources.
- risk 0.42cvss 7.5epss 0.00
The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room…
- risk 0.40cvss 6.1epss 0.01
Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages.
- risk 0.36cvss 5.5epss 0.00
The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, camera, automation, network client).…
- risk 0.35cvss 5.4epss 0.01
A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next step will ask for a username. This field will not save HTML control characters but an error will be displayed that shows the attempted username…
- risk 0.34cvss 5.3epss 0.00
The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply…
- risk 0.28cvss 4.3epss 0.01
A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function parseMessage of the file /apps/meteor/app/irc/server/servers/RFC2813/parseMessage.js. The manipulation of the argument line leads to inefficient…
- risk 0.27cvss 5.3epss 0.00
An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint.
- risk 0.21cvss 4.3epss 0.00
In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.
- CVE-2021-22911May 27, 2021risk 0.10cvss —epss 0.95
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.
- CVE-2020-28208Jan 8, 2021risk 0.04cvss —epss 0.11
An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.
- CVE-2026-55762Jun 24, 2026risk 0.00cvss —epss 0.00
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication (authRequired: true) but performs no authorization check. Any…
- CVE-2026-55759Jun 24, 2026risk 0.00cvss —epss 0.00
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss…
- CVE-2026-55666Jun 24, 2026risk 0.00cvss —epss 0.00
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try…
- CVE-2026-49278Jun 24, 2026risk 0.00cvss —epss 0.00
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in…
- CVE-2026-49277Jun 24, 2026risk 0.00cvss —epss 0.00
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using…
- CVE-2026-45757Jun 24, 2026risk 0.00cvss —epss 0.00
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an…