CVE-2026-48616

🗓️ 16 Jun 2026 23:08:37Reported by hackeroneType

Rocket.Chat versions

Reporter	Title	Published	Views	Family All 5
Circl	CVE-2026-48616	17 Jun 202600:50	–	circl
CVE	CVE-2026-48616	16 Jun 202623:08	–	cve
EUVD	EUVD-2026-37514	16 Jun 202623:08	–	euvd
Hacker One	Rocket.Chat: Unauthenticated reading of every file via livechat auth and predicting MongoDB ObjectId()	21 Apr 202614:58	–	hackerone
Positive Technologies	PT-2026-50128	16 Jun 202600:00	–	ptsecurity

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Rocket.Chat",
    "product": "Rocket.Chat",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThan": "8.5.1",
        "versionType": "semver"
      },
      {
        "version": "0",
        "status": "affected",
        "lessThan": "8.4.4",
        "versionType": "semver"
      },
      {
        "version": "0",
        "status": "affected",
        "lessThan": "8.3.6",
        "versionType": "semver"
      },
      {
        "version": "0",
        "status": "affected",
        "lessThan": "8.2.6",
        "versionType": "semver"
      },
      {
        "version": "0",
        "status": "affected",
        "lessThan": "8.1.6",
        "versionType": "semver"
      },
      {
        "version": "0",
        "status": "affected",
        "lessThan": "8.0.7",
        "versionType": "semver"
      },
      {
        "version": "0",
        "status": "affected",
        "lessThan": "7.13.9",
        "versionType": "semver"
      },
      {
        "version": "0",
        "status": "affected",
        "lessThan": "7.10.13",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
github	www.github.com/RocketChat/Rocket.Chat/pull/40889
hackerone	www.hackerone.com/reports/3687142

16 Jun 2026 23:08Current

CVSS 39.3

CWE-284