8.5

CVE-2026-45687

Rocket.Chat: Authenticated Arbitrary Data Export Theft via Mass Assignment in sendFileMessage

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRocketChat
Produkt Rocket.Chat
Version >= 8.5.0-rc.0, < 8.5.0
Status affected
Version >= 8.4.0-rc.0, < 8.4.1
Status affected
Version >= 8.3.0-rc.0, < 8.3.3
Status affected
Version >= 8.2.0-rc.0, < 8.2.3
Status affected
Version >= 8.1.0-rc.0, < 8.1.4
Status affected
Version >= 8.0.0-rc.0, < 8.0.5
Status affected
Version >= 7.11.0-rc.0, < 7.13.7
Status affected
Version < 7.10.11
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.106
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 8.5 3.1 4.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-fhc2-x8cp-c5ch