CVE-2026-32995

The Rocket.Chat DDP method autoTranslate.translateMessage in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage without checking Meteor.userId or verifying room membership. Any authenticated D...

CVE-2026-28514 Rocket.Chat: Users can login with any password via the EE ddp-streamer-service

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows a...

CVE-2026-28514 Rocket.Chat: Users can login with any password via the EE ddp-streamer-service

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows a...

Rocket.Chat 安全漏洞

Rocket.Chat is a chat program from Rocket.Chat, Inc. A security vulnerability exists in Rocket.Chat version 6.12.0 and earlier, which stems from the API endpoint GET /api/v1/oauth-apps.get being exposed to any authenticated user, potentially leading to the disclosure of sensitive information...

EUVD-2023-32023

Malicious code in bioql PyPI...

rocket.chat Incorrect Authorization Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of rocket.chat. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 3000 by default. The issue results from...

CVE-2023-28318

A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the MessageKeepHistory or MessageShowDeletedStatus server configuration. This allows users to bypass the intended message deletion behavior, hiding messages and deletion notices...

CVE-2021-22886

Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting XSS using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app...

PT-2024-32287 · Unknown · Rocket.Chat

Name of the Vulnerable Software and Affected Versions: Rocket.Chat versions 6.12.0 through 6.7.8 and before Description: The issue allows attackers to abuse the UpdateOTRAck method to send ephemeral messages as if they were any other user they choose, leading to a message forgery and impersonatio...