| Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check |
Insecure Direct Object Reference (IDOR) |
deprrous |
High |
2026-05-25 |
| IDOR: autotranslate.translateMessage Full Message Content Leak |
Insecure Direct Object Reference (IDOR) |
josan_george |
Medium |
2026-05-18 |
| RBAC bypass on App log endpoints via `permissionRequired` typo — any authenticated user reads admin-only Enterprise App logs |
Improper Access Control - Generic |
arccode |
Medium |
2026-04-23 |
| Complete authentication bypass to admin permissions |
SQL Injection |
npc |
Critical |
2026-04-22 |
| Open Redirect in Rocket.Chat |
Open Redirect |
soohyun |
Medium |
2026-04-10 |
| IDOR vulnerability leads to Deleting message after leaving/getting banned from group using message ID |
Insecure Direct Object Reference (IDOR) |
yash24 |
Low |
2024-10-13 |
| The initial E2EE password generated by Rocket.Chat mobile can be recovered in a practical timescale. |
Use of Insufficiently Random Values |
h0011 |
High |
2024-10-01 |
| XSS via /api/v1/chat.postMessage |
Cross-site Scripting (XSS) - Stored |
gronke |
Critical |
2024-08-10 |
| Guest Privilege Escalation to admin group |
Improper Access Control - Generic |
gronke |
Critical |
2024-08-10 |
| Upload of Avatars for other Users |
Improper Access Control - Generic |
gronke |
Medium |
2024-08-10 |
| Online Status of arbitrary users can be changed |
Improper Access Control - Generic |
gronke |
Medium |
2024-08-10 |
| CSS Injection in Message Avatar |
Code Injection |
gronke |
Medium |
2024-08-10 |
| Unread Messages can leak Message IDs |
Information Disclosure |
gronke |
Medium |
2024-08-10 |
| Registration bypass with leaked Invite Token |
Improper Authentication - Generic |
gronke |
High |
2024-08-10 |
| Unauthenticated clients can modify Livechat Business Hours |
Improper Access Control - Generic |
gronke |
Medium |
2024-08-10 |
| Improper ACL in Message Starring |
Improper Access Control - Generic |
gronke |
Medium |
2024-08-10 |
| User Impersonation through sendMessage options |
UI Redressing (Clickjacking) |
gronke |
Medium |
2024-08-10 |
| Authentication Bypass in login-token Authentication Method |
Improper Authentication - Generic |
gronke |
Critical |
2024-08-10 |
| Impersonation in Sequential Messages |
None supplied |
gronke |
Medium |
2024-08-10 |
| Content-Security Policy bypass with File Uploads |
None supplied |
gronke |
High |
2024-08-10 |
| XSS in various MessageTypes |
Cross-site Scripting (XSS) - Stored |
gronke |
High |
2024-08-10 |
| Pinning leaks message content |
Information Disclosure |
gronke |
High |
2024-08-10 |
| Bypassing 2FA with conventional session management - open.rocket.chat |
Improper Authentication - Generic |
hackeriron1 |
Low |
2024-08-10 |
| Unauthenticated full-read SSRF via Twilio integration |
Server-Side Request Forgery (SSRF) |
mokusou |
High |
2024-08-04 |
| Rocket.Chat Desktop client fails to open browser on 3rd party external actions from PDF documents |
Cleartext Transmission of Sensitive Information |
itssixtynein |
Low |
2024-07-11 |
| NoSQL injection leaks visitor token and livechat messages |
Information Disclosure |
gronke |
Medium |
2024-07-11 |
| Server-side RCE through directory traversal-based arbitrary file write |
Path Traversal |
fabianfreyer |
Critical |
2023-07-10 |
| Reflected Cross-Site Scripting(CVE-2022-32770 ) |
Cross-site Scripting (XSS) - Reflected |
sachinrajput |
High |
2023-06-22 |
| Clickjacking at open.rocket.chat |
UI Redressing (Clickjacking) |
scriptsavvy |
Medium |
2023-06-15 |
| NoSQL injection in listEmojiCustom method call |
SQL Injection |
rijalrojan |
High |
2023-05-09 |
| Cross-Site-Scripting in "Search Messages" |
Cross-site Scripting (XSS) - Stored |
sectex |
Medium |
2023-05-09 |
| Mute User can disclose private channel members to unauthorized users |
Information Disclosure |
gronke |
Medium |
2023-05-09 |
| Maliciously crafted message can cause Rocket.Chat server to stop responding |
Uncontrolled Resource Consumption |
vv9k |
Medium |
2023-05-09 |
| Moving private messages into vision with updateMessage method |
Information Disclosure |
gronke |
High |
2023-05-09 |
| Retrospective change of message timestamp and order |
None supplied |
gronke |
Medium |
2023-04-25 |
| Messages can be hidden regardless of server configuration |
None supplied |
gronke |
Medium |
2023-04-25 |
| Improper Access Control - Generic |
Improper Access Control - Generic |
priyank_parmar |
Low |
2023-04-25 |
| Rocket.Chat Server RCE |
Command Injection - Generic |
yuske |
Critical |
2023-03-04 |
| Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture. |
Improper Access Control - Generic |
f0ns1 |
High |
2023-02-16 |
| Insecure use of shell.openExternal() leads to RCE in Rocket.Chat-Desktop |
OS Command Injection |
sectex |
High |
2022-12-08 |
| getUsersOfRoom discloses users in private channels |
None supplied |
gronke |
Medium |
2022-09-22 |
| Rocket.chat user info security issue |
Cleartext Transmission of Sensitive Information |
mikolajczak |
Medium |
2022-09-22 |
| Message ID Enumeration with Regular Expression in getReadReceipts Meteor method |
Information Disclosure |
gronke |
Medium |
2022-09-22 |
| API route chat.getThreadsList leaks private message content |
Information Disclosure |
gronke |
High |
2022-09-22 |
| NoSQL-Injection discloses S3 File Upload URLs |
Information Disclosure |
gronke |
Medium |
2022-09-22 |
| getRoomRoles Method leaks Channel Owner |
Information Disclosure |
gronke |
Medium |
2022-09-22 |
| TOTP 2 Factor Authentication Bypass |
Improper Authentication - Generic |
gronke |
High |
2022-09-22 |
| Message ID Enumeration with Action Link Handler |
Information Disclosure |
gronke |
Medium |
2022-09-22 |
| REST API gets `query` as parameter and executes it |
Information Disclosure |
paulocsanz |
Medium |
2022-09-22 |
| Unintended information disclosure in the Hubot Log files |
Cleartext Storage of Sensitive Information |
rolfzur |
Medium |
2022-09-22 |
| Bypass local authentication (PIN code) |
Improper Authentication - Generic |
dago_669 |
Medium |
2022-09-22 |
| getUserMentionsByChannel leaks messages with mention from private channel |
Information Disclosure |
gronke |
High |
2022-09-22 |
| It is possible to elevate privileges for any authenticated user to view permissions matrix and view Direct messages without appropriate permissions. |
Privilege Escalation |
garretby |
Medium |
2022-09-22 |
| Persistent CSS injection with ’marked’ markdown parser in Rocket.Chat |
Cross-site Scripting (XSS) - Stored |
danieljpp |
High |
2022-09-22 |
| Regex account takeover |
SQL Injection |
ghaem51 |
Critical |
2022-09-22 |
| Insecure use of shell.openExternal() in Rocket.Chat Desktop App leading to RCE |
OS Command Injection |
baltpeter |
Critical |
2022-08-01 |
| Possible Domain Takeover on AWS Instance. |
Phishing |
samuelsiv |
Low |
2022-05-22 |
| Arbitrary file read in Rocket.Chat-Desktop |
None supplied |
sectex |
Medium |
2022-02-06 |
| Blind XSS |
Cross-site Scripting (XSS) - Generic |
cyberasset |
Low |
2021-12-07 |
| Custom crafted message object in Meteor.Call allows remote code execution and impersonation |
Code Injection |
wreiske |
Critical |
2021-10-11 |
| Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution |
None supplied |
sonarsource |
High |
2021-07-31 |
| Post-Auth Stored XSS with User Interaction leads to Remote Code Execution |
Cross-site Scripting (XSS) - Stored |
sonarsource |
High |
2021-06-30 |
| Pre-Auth Blind NoSQL Injection leading to Remote Code Execution |
None supplied |
sonarsource |
Critical |
2021-05-18 |
| Hi! Security Team Rocket.Chat, It's possible to get information about the users emails without authentication |
Information Disclosure |
khekhe |
Low |
2021-04-29 |
| Account takeover via XSS |
Cross-site Scripting (XSS) - Stored |
sectex |
Critical |
2021-03-31 |
| Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app) |
Cross-site Scripting (XSS) - DOM |
psych0tr1a |
High |
2021-03-25 |
| Android App Crashes while sending message to users/ on channel |
Classic Buffer Overflow |
legalizenepal |
High |
2021-03-18 |
| Remote Code Execution in Rocket.Chat-Desktop |
None supplied |
sectex |
Critical |
2020-11-07 |
| Desktop app RCE (#276031 bypass) |
Code Injection |
ivarsvids |
High |
2020-11-05 |
| [Security Vulnerability Rocket.chat] HTML Injection into Email via Signup |
Code Injection |
steven_julian22 |
Medium |
2020-06-24 |
| SAML authentication bypass |
Improper Authentication - Generic |
tomp1 |
High |
2020-06-18 |
| account takeover on 3.0.1 version |
Insecure Direct Object Reference (IDOR) |
elfiman |
Critical |
2020-06-14 |
| API Keys Hardcoded in Github repository |
Use of Hard-coded Credentials |
codermak |
Medium |
2020-04-01 |
| Blind SQL injection in third-party software, that allows to reveal user statistic from rocket.chat and possibly hack into the rocketchat.agilecrm.com |
SQL Injection |
w2w |
No rating |
2019-10-17 |
| XSS (stored) Wizard is saving executable code |
Cross-site Scripting (XSS) - Stored |
24nitin |
Medium |
2018-09-27 |
| Blind XSS in the rocket.chat registration email |
Cross-site Scripting (XSS) - Stored |
edoverflow |
No rating |
2018-09-26 |
| Remote Code Execution in Rocket.Chat Desktop |
Code Injection |
mattaustin |
High |
2018-09-19 |
| Remote code execution by hijacking an unclaimed S3 bucket in Rocket.Chat's installation script. |
Code Injection |
edoverflow |
Medium |
2018-08-28 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles