Rocket.Chat Permission Bypass Vulnerability in Apps Engine Log Endpoints

Vulnerability

A vulnerability exists in Rocket.Chat versions prior to 8.4.0, 8.3.2, 8.2.2, 8.1.3, 8.0.4, 7.13.6, 7.12.7, 7.11.7, and 7.10.10. The issue arises from a typo in the permission check for the endpoints '/api/apps/logs' and '/api/apps/:id/logs'. This flaw allows authenticated users without the necessary permissions to access apps-engine logs, including admin-only logs for Enterprise Apps.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive log information, potentially including private data or details about application performance and errors.

Added: Apr 24, 2026, 12:29 AM

Updated: Apr 24, 2026, 12:29 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.8

remediation

0.0

relevance

6.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.8

remediation

0.0

relevance

6.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Rocket.Chat Permission Bypass Vulnerability in Apps Engine Log Endpoints

Vulnerability

Impact

Affected Products

Rocket.Chat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating