CVE-2026-45687

Summary

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Affected Software

VendorProductVersion RangeStatus
RocketChatRocket.Chat>= 8.5.0-rc.0, < 8.5.0affected
RocketChatRocket.Chat>= 8.4.0-rc.0, < 8.4.1affected
RocketChatRocket.Chat>= 8.3.0-rc.0, < 8.3.3affected
RocketChatRocket.Chat>= 8.2.0-rc.0, < 8.2.3affected
RocketChatRocket.Chat>= 8.1.0-rc.0, < 8.1.4affected
RocketChatRocket.Chat>= 8.0.0-rc.0, < 8.0.5affected
RocketChatRocket.Chat>= 7.11.0-rc.0, < 7.13.7affected
RocketChatRocket.Chat< 7.10.11affected

Weaknesses

  • CWE-915: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References