How is CVE-2026-48616 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the Rocket.Chat server to exploit this vulnerability. Authentication (not-required): No account or session credentials are required; the attacker supplies an arbitrary livechat token that the server never validates against the requested file. Victim interaction (not-required): The attacker interacts directly with the server endpoint; no user action or social engineering is needed. Attack complexity (info): The exploit is reliable and condition-free; MongoDB object IDs are sequential, making file enumeration straightforward with no race conditions or special environmental setup required.

What is the impact of CVE-2026-48616?

Reads any file uploaded by any user or livechat visitor on the server, including documents, images, and attachments shared in private conversations. Enumerates the full corpus of uploaded files by iterating predictable sequential file IDs, with no prior knowledge of room membership or file names. Exposes potentially sensitive business documents, identity verification files, or customer support attachments that were assumed to be access-controlled.

Back to search

CRITICALCVE-2026-48616Published 2026-06-16Modified 2026-06-16CNA hackerone

CVE-2026-48616: Rocket

Q: What is CVE-2026-48616?

This is a broken access control vulnerability in Rocket.Chat's Livechat file-download endpoint. The endpoint at /file-upload/:fileId/:name accepts a livechat session token (rc_rid plus rc_token) to authorize downloads, but never checks whether rc_rid actually belongs to the file being requested. Because MongoDB object IDs are sequential and predictable, and the :name segment accepts any value, an unauthenticated attacker can enumerate and download any file uploaded to the chat server without holding a valid session for that file. Patched-image rebuilds at versions 7.10.13, 7.13.9, 8.0.7, 8.1.6, and 8.2.6 are available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-48616 fixed?

A patched-image rebuild at the applicable fix version (7.10.13, 7.13.9, 8.0.7, 8.1.6, or 8.2.6 depending on the branch in use) becomes available through HarborGuard once the upstream image is published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.

CVSS v3.0: 9.3
Severity: CRITICAL
Fixed in: 7.10.13
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a broken access control vulnerability in Rocket.Chat's Livechat file-download endpoint. The endpoint at /file-upload/:fileId/:name accepts a livechat session token (rc_rid plus rc_token) to authorize downloads, but never checks whether rc_rid actually belongs to the file being requested. Because MongoDB object IDs are sequential and predictable, and the :name segment accepts any value, an unauthenticated attacker can enumerate and download any file uploaded to the chat server without holding a valid session for that file. Patched-image rebuilds at versions 7.10.13, 7.13.9, 8.0.7, 8.1.6, and 8.2.6 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-48616 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Rocket.Chat. Both registry scans and CI pipeline scans are covered.

Available

Triage

HarborGuard triage capabilities score this CVE at 9.3 CRITICAL (CVSS v3.0) and apply each customer organization's compliance policy weighting to determine urgency; the resulting alert is routed to the appropriate team inbox within the affected customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at the applicable fix version (7.10.13, 7.13.9, 8.0.7, 8.1.6, or 8.2.6 depending on the branch in use) becomes available through HarborGuard once the upstream image is published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the Rocket.Chat server to exploit this vulnerability.
AuthenticationNot required
No account or session credentials are required; the attacker supplies an arbitrary livechat token that the server never validates against the requested file.
Victim interactionNot required
The attacker interacts directly with the server endpoint; no user action or social engineering is needed.
Attack complexityDetail
The exploit is reliable and condition-free; MongoDB object IDs are sequential, making file enumeration straightforward with no race conditions or special environmental setup required.

Blast Radius

Reads any file uploaded by any user or livechat visitor on the server, including documents, images, and attachments shared in private conversations.
Enumerates the full corpus of uploaded files by iterating predictable sequential file IDs, with no prior knowledge of room membership or file names.
Exposes potentially sensitive business documents, identity verification files, or customer support attachments that were assumed to be access-controlled.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48616 fires within minutes of advisory ingestion and covers all images in customer registries and build pipelines that include an affected Rocket.Chat version. Given the CRITICAL severity and zero-authentication requirement, this CVE is prioritized for fast-path triage, and patched-image rebuilds at the appropriate fix branch (7.10.13, 7.13.9, 8.0.7, 8.1.6, or 8.2.6) are made available as soon as upstream images are published. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the triage alert includes the relevant fix version and a direct link to the upstream changelog so engineers can act manually.

See how HarborGuard automates this

Fix available

7.10.137.13.98.0.78.1.68.2.68.3.68.4.48.5.1

Affected packages

Rocket.Chat / Rocket.Chat
< 8.5.1 (from 0) · < 8.4.4 (from 0) · < 8.3.6 (from 0) · < 8.2.6 (from 0) · < 8.1.6 (from 0) · < 8.0.7 (from 0)

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available