Back to search

RocketChat

Rocket.Chat

Open-source team chat and collaboration platform.

8.4 Current train 8.3 Switch to this train 8.2 Switch to this train 8.1 Switch to this train 8.0 Switch to this train 7.13 Switch to this train 7.12 Switch to this train 7.11 Switch to this train 7.10 Switch to this train 7.9 EOL Switch to this train 7.8 EOL Switch to this train
Current version
Last checked: 2026-06-03

8.4.3

Release date
June 02, 2026
Security status
Current version appears affected by 1 high-severity CVE.

Source

GitHub API

Public release notes are linked for the latest stored release.

View release notes Subscribe to updates

Release history

See the latest published releases stored for this product.

Version Published Notes
8.4.3 2026-06-02 Release Notes
8.4.2 2026-05-22 Release Notes
8.4.1 2026-05-08 Release Notes
8.4.0 2026-04-30 Release Notes

Vulnerability tracking

versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.

Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.

CVE Severity Published Status Summary
CVE-2026-32995 HIGH (7.5) 2026-05-28 Current versionnot affected

The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room membership. Any authenticated DDP user can read the content of any message by ID from any room (private channels, DMs, E2EE rooms) by calling this method.

Affected versions
  • From (including) 8.5.0 - Up to (excluding) 8.5.0
  • From (including) 8.4.0 - Up to (excluding) 8.4.2
Show 6 more
  • From (including) 8.3.0 - Up to (excluding) 8.3.4
  • From (including) 8.2.0 - Up to (excluding) 8.2.4
  • From (including) 8.1.0 - Up to (excluding) 8.1.5
  • From (including) 8.0.0 - Up to (excluding) 8.0.6
  • From (including) 7.13.0 - Up to (excluding) 7.13.8
  • From (including) 7.10.0 - Up to (excluding) 7.10.12
CVE-2026-29198 CRITICAL (9.8) 2026-04-23 Current versionaffected

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

Affected versions
  • Up to (excluding) 7.10.9
  • From (including) 7.11.0 - Up to (excluding) 7.11.6
Show 5 more
  • From (including) 7.12.0 - Up to (excluding) 7.12.6
  • From (including) 7.13.0 - Up to (excluding) 7.13.5
  • From (including) 8.0.0 - Up to (excluding) 8.0.3
  • From (including) 8.1.0 - Up to (excluding) 8.1.2
  • From (including) 8.2.0 - Up to (excluding) 8.2.1
CVE-2026-30831 CRITICAL (9.8) 2026-03-06 Current versionnot affected

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Affected versions
  • Up to (excluding) 7.10.8
  • From (including) 7.11.0 - Up to (excluding) 7.11.5
Show 4 more
  • From (including) 7.12.0 - Up to (excluding) 7.12.5
  • From (including) 7.13.0 - Up to (excluding) 7.13.4
  • From (including) 8.0.0 - Up to (excluding) 8.0.2
  • From (including) 8.1.0 - Up to (excluding) 8.1.1
CVE-2026-28514 CRITICAL (9.8) 2026-03-06 Current versionnot affected

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.

Affected versions
  • Up to (excluding) 7.8.6
  • From (including) 7.9.0 - Up to (excluding) 7.9.8
Show 4 more
  • From (including) 7.10.0 - Up to (excluding) 7.10.7
  • From (including) 7.11.0 - Up to (excluding) 7.11.4
  • From (including) 7.12.0 - Up to (excluding) 7.12.4
  • From (including) 7.13.0 - Up to (excluding) 7.13.3
versionPing is an unofficial free service that tracks software releases and notifies you when CVEs and updates are available. Built by an engineer for engineers.ImprintPrivacy Notice