{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "8.5.0-rc.0"
              },
              {
                "fixed": "8.5.0"
              },
              {
                "introduced": "8.4.0-rc.0"
              },
              {
                "fixed": "8.4.1"
              },
              {
                "introduced": "8.3.0-rc.0"
              },
              {
                "fixed": "8.3.3"
              },
              {
                "introduced": "8.2.0-rc.0"
              },
              {
                "fixed": "8.2.3"
              },
              {
                "introduced": "8.1.0-rc.0"
              },
              {
                "fixed": "8.1.4"
              },
              {
                "introduced": "8.0.0-rc.0"
              },
              {
                "fixed": "8.0.5"
              },
              {
                "introduced": "7.11.0-rc.0"
              },
              {
                "fixed": "7.13.7"
              },
              {
                "introduced": "0"
              },
              {
                "fixed": "7.10.11"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "f3c2b8356043884f29c4d802668f3366a471c957"
            },
            {
              "fixed": "d0230e1ed86163b5cf9da57fda09fa86ea0b5c9f"
            },
            {
              "introduced": "c54eea7bf4c643534b78b65041a2fc78e4f122e0"
            },
            {
              "fixed": "a1b567bb36327c93bfaa8eba32c4bf94ecee2760"
            },
            {
              "introduced": "d7325cd940dd6908069999e4d168dea938ee2f52"
            },
            {
              "fixed": "84bb79f4aacf39dd3f909788e600c076368c3985"
            },
            {
              "introduced": "d97ea5ff436e863332d7fd1fa086ef9a9d75cd52"
            },
            {
              "fixed": "bb77a56b43c983bee6203ddb312a86c31f35e3e4"
            },
            {
              "introduced": "c04b2ca3d4dc586dc504794fa3048bb0c723f5b2"
            },
            {
              "fixed": "3c30743d812c50596694ea95bab5b84ebc7a5264"
            },
            {
              "introduced": "84481796011e0a74658b3e37ac96dd246da9466b"
            },
            {
              "fixed": "792cb12e4ebeb2566c593ecf5e6cc0d28a5d3f06"
            },
            {
              "introduced": "de7ffad1fa219af50d6bc7ef06021db30fcbf183"
            },
            {
              "fixed": "67947de0244ac3d35689efbf9c903dadf7f4ed14"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "85f0f2da5ff07643147d44697f16ce9685743520"
            }
          ],
          "repo": "https://github.com/rocketchat/rocket.chat",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-fhc2-x8cp-c5ch"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-915"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45687.json"
  },
  "details": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it directly into a MongoDB $set update via Object.assign. There is no allow-list of writable fields. An attacker can therefore rewrite any column on their own upload record, notably store and the store-specific path fields. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.",
  "id": "CVE-2026-45687",
  "modified": "2026-07-15T01:48:51.519264681Z",
  "published": "2026-06-24T20:55:25.918Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45687.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-fhc2-x8cp-c5ch"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45687"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rocket.Chat: Authenticated Arbitrary Data Export Theft via Mass Assignment in sendFileMessage"
}