How is CVE-2026-48929 exploited?

Network reachability (required): The attacker must reach the Rocket.Chat WebSocket endpoint over the network; no prior access to the host is needed. Authentication (not-required): No account or credentials are needed; the vulnerability is reachable via an unauthenticated DDP WebSocket connection. Victim interaction (not-required): No user action or social engineering is required; the attacker sends the malicious method call directly. Attack complexity (info): The exploit is reliable and condition-free; file IDs are discoverable from public channel message payloads and download URLs, requiring no special timing or environmental setup.

What is the impact of CVE-2026-48929?

Permanently deletes any uploaded file from Rocket.Chat storage and the database by ID, with no recovery path once the deletion executes. Destroys message attachments, shared documents, and media files across all channels whose IDs are visible in public message payloads or download URLs. Enables systematic destruction of file content at scale, since file IDs are enumerable from public channel history without authentication. Does not expose or modify confidential data or account credentials, but eliminates file availability entirely for affected records.

Back to search

HIGHCVE-2026-48929Published 2026-06-16Modified 2026-06-16CNA hackerone

CVE-2026-48929: Rocket

Q: What is CVE-2026-48929?

An unauthenticated file deletion vulnerability exists in Rocket.Chat across several version branches below the patched releases. Any unauthenticated attacker reachable over the network can invoke the deleteFileMessage Meteor method via a WebSocket connection without logging in, causing a flawed null-user authorization check to be silently skipped. Successful exploitation permanently deletes any uploaded file from storage and the database by its ID, which is discoverable from public channel messages and download URLs. Patched-image rebuilds at versions 7.10.13, 7.13.9, 8.0.7, 8.1.6, and 8.2.6 are available on HarborGuard for environments running affected versions.

Q: How is CVE-2026-48929 fixed?

A patched-image rebuild at the applicable fix version (7.10.13, 7.13.9, 8.0.7, 8.1.6, or 8.2.6 depending on the installed branch) becomes available on HarborGuard once the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, run a regression test suite against the new image, and open a pull request against affected workloads.

Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.

CVSS v3.0: 7.5
Severity: HIGH
Fixed in: 7.10.13
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated file deletion vulnerability exists in Rocket.Chat across several version branches below the patched releases. Any unauthenticated attacker reachable over the network can invoke the deleteFileMessage Meteor method via a WebSocket connection without logging in, causing a flawed null-user authorization check to be silently skipped. Successful exploitation permanently deletes any uploaded file from storage and the database by its ID, which is discoverable from public channel messages and download URLs. Patched-image rebuilds at versions 7.10.13, 7.13.9, 8.0.7, 8.1.6, and 8.2.6 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-48929 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using upstream feed ingestion from HackerOne and mirrored advisory sources. Matching covers all registry images and CI/CD pipeline builds, including custom-built images derived from affected Rocket.Chat base layers.

Available

Triage

Triage is available with a CVSS v3.0 score of 7.5 (HIGH) applied automatically, weighted against each customer environment's compliance policy to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at the applicable fix version (7.10.13, 7.13.9, 8.0.7, 8.1.6, or 8.2.6 depending on the installed branch) becomes available on HarborGuard once the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, run a regression test suite against the new image, and open a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Rocket.Chat WebSocket endpoint over the network; no prior access to the host is needed.
AuthenticationNot required
No account or credentials are needed; the vulnerability is reachable via an unauthenticated DDP WebSocket connection.
Victim interactionNot required
No user action or social engineering is required; the attacker sends the malicious method call directly.
Attack complexityDetail
The exploit is reliable and condition-free; file IDs are discoverable from public channel message payloads and download URLs, requiring no special timing or environmental setup.

Blast Radius

Permanently deletes any uploaded file from Rocket.Chat storage and the database by ID, with no recovery path once the deletion executes.
Destroys message attachments, shared documents, and media files across all channels whose IDs are visible in public message payloads or download URLs.
Enables systematic destruction of file content at scale, since file IDs are enumerable from public channel history without authentication.
Does not expose or modify confidential data or account credentials, but eliminates file availability entirely for affected records.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48929 is active across all connected registries and pipelines, with matching against affected Rocket.Chat image versions occurring within minutes of advisory ingestion. For environments running a vulnerable version, a patched-image rebuild at the appropriate fix version (7.10.13, 7.13.9, 8.0.7, 8.1.6, or 8.2.6) is available. Where compliance policy permits auto-remediation, HarborGuard triggers the rebuild, executes a regression run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the triage queue with severity HIGH and CVSS 7.5 for manual review. As a compensating control while a patched image is being deployed, consider applying network policy rules that restrict unauthenticated external access to the Rocket.Chat WebSocket port (typically 3000/TCP) and enabling egress filtering on the container to limit lateral exposure.

See how HarborGuard automates this

Fix available

7.10.137.13.98.0.78.1.68.2.68.3.68.4.48.5.1

Affected packages

Rocket.Chat / Rocket.Chat
< 8.5.1 (from 0) · < 8.4.4 (from 0) · < 8.3.6 (from 0) · < 8.2.6 (from 0) · < 8.1.6 (from 0) · < 8.0.7 (from 0)

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available