What is CVE-2026-48616?

CVE-2026-48616 is a critical-severity vulnerability in Rocket.chat, classified under Improper Access Control. CVSS score: 9.3/10. Published 2026-06-17.

How severe is CVE-2026-48616?

Critical severity. CVSS v3 base score is 9.3 out of 10.

Vulnerability in Rocket.chat

CVE-2026-48616

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l wi…

CVSS v3 metric

CVSS v3 base score 9.3 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N.

Affected products

Rocket.chat — versions 0

Weakness classification (CWE)

CWE-284 — Improper Access Control

References

support@hackerone.com
support@hackerone.com

Frequently asked questions

What is CVE-2026-48616?: CVE-2026-48616 is a critical-severity vulnerability in Rocket.chat, classified under Improper Access Control. CVSS score: 9.3/10. Published 2026-06-17.
How severe is CVE-2026-48616?: Critical severity. CVSS v3 base score is 9.3 out of 10.