{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29197", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-03-04T15:00:09.266Z", "datePublished": "2026-04-23T23:19:40.722Z", "dateUpdated": "2026-04-24T14:18:07.117Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Rocket.Chat", "product": "Rocket.Chat", "versions": [{"version": "8.4.0", "status": "affected", "lessThan": "8.4.0", "versionType": "semver"}, {"version": "8.3.2", "status": "affected", "lessThan": "8.3.2", "versionType": "semver"}, {"version": "8.2.2", "status": "affected", "lessThan": "8.2.2", "versionType": "semver"}, {"version": "8.1.3", "status": "affected", "lessThan": "8.1.3", "versionType": "semver"}, {"version": "8.0.4", "status": "affected", "lessThan": "8.0.4", "versionType": "semver"}, {"version": "7.13.6", "status": "affected", "lessThan": "7.13.6", "versionType": "semver"}, {"version": "7.12.7", "status": "affected", "lessThan": "7.12.7", "versionType": "semver"}, {"version": "7.11.7", "status": "affected", "lessThan": "7.11.7", "versionType": "semver"}, {"version": "7.10.10", "status": "affected", "lessThan": "7.10.10", "versionType": "semver"}]}], "references": [{"url": "https://hackerone.com/reports/3589551"}, {"url": "https://github.com/RocketChat/Rocket.Chat/pull/40125"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control - Generic"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-23T23:19:40.722Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T14:17:53.996452Z", "id": "CVE-2026-29197", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T14:18:07.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29197", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T14:17:53.996452Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T14:17:50.488Z"}}], "cna": {"affected": [{"vendor": "Rocket.Chat", "product": "Rocket.Chat", "versions": [{"status": "affected", "version": "8.4.0", "lessThan": "8.4.0", "versionType": "semver"}, {"status": "affected", "version": "8.3.2", "lessThan": "8.3.2", "versionType": "semver"}, {"status": "affected", "version": "8.2.2", "lessThan": "8.2.2", "versionType": "semver"}, {"status": "affected", "version": "8.1.3", "lessThan": "8.1.3", "versionType": "semver"}, {"status": "affected", "version": "8.0.4", "lessThan": "8.0.4", "versionType": "semver"}, {"status": "affected", "version": "7.13.6", "lessThan": "7.13.6", "versionType": "semver"}, {"status": "affected", "version": "7.12.7", "lessThan": "7.12.7", "versionType": "semver"}, {"status": "affected", "version": "7.11.7", "lessThan": "7.11.7", "versionType": "semver"}, {"status": "affected", "version": "7.10.10", "lessThan": "7.10.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hackerone.com/reports/3589551"}, {"url": "https://github.com/RocketChat/Rocket.Chat/pull/40125"}], "descriptions": [{"lang": "en", "value": "In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control - Generic"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-23T23:19:40.722Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29197", "state": "PUBLISHED", "dateUpdated": "2026-04-24T14:18:07.117Z", "dateReserved": "2026-03-04T15:00:09.266Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-04-23T23:19:40.722Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F9F2F06-FC98-4692-BD3A-5AF9D746FB64", "versionEndExcluding": "7.10.10", "versionStartIncluding": "7.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "520910F2-3548-47A9-AD85-286C6703C8BA", "versionEndExcluding": "7.11.7", "versionStartIncluding": "7.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "14F6F674-A51D-492B-B535-D3909E152C36", "versionEndExcluding": "7.12.7", "versionStartIncluding": "7.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E3EA77B-C132-4750-97B8-6B059E1B303E", "versionEndExcluding": "7.13.6", "versionStartIncluding": "7.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FA25A81-737A-4B52-992B-B8201F046A4F", "versionEndExcluding": "8.0.4", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C9716BA-F120-488F-A94B-9393C9A2BBE1", "versionEndExcluding": "8.1.3", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AF83D66-35A3-47CB-B776-473830D0CFDA", "versionEndExcluding": "8.2.2", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "16973449-C9F2-4E71-A840-69EEFF8DC6D7", "versionEndExcluding": "8.3.2", "versionStartIncluding": "8.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs."}], "id": "CVE-2026-29197", "lastModified": "2026-04-28T19:34:33.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-24T00:16:27.647", "references": [{"source": "support@hackerone.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/RocketChat/Rocket.Chat/pull/40125"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/3589551"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.4.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.1.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.13.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.12.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.11.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.10.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Rocket.Chat", "source": "cna", "vendor": "Rocket.Chat"}, "product": "rocket.chat", "vendor": "rocket.chat"}], "analysis": {"en": {"generated_at": "2026-04-28T20:26:48.015269+00:00", "value": {"mitigation_remediation": ["Upgrade to Rocket.Chat 8.4.0 or later (or 8.3.2+, 8.2.2+, 8.1.3+, 8.0.4+, 7.13.6+, 7.12.7+, 7.11.7+, or 7.10.10+ as appropriate for your environment).", "Reconfigure the log endpoints to enforce proper permission checks, ensuring that only users with the designated log\u2011read permission can access the /api/apps/logs and /api/apps/:id/logs routes.", "Audit existing logs for any unauthorized access events and adjust user roles or permissions accordingly to prevent future accidental disclosures."], "summary": {"action": "Patch Now", "impact": "Information Disclosure of Apps-Engine Logs"}, "threat_synthesis": {"affected_systems": "Rocket.Chat instances running any of the following versions are affected: all releases earlier than 8.4.0, 8.3.2, 8.2.2, 8.1.3, 8.0.4, 7.13.6, 7.12.7, 7.11.7, and 7.10.10. The issue applies to all environments where these versions are deployed.", "description_and_impact": "The vulnerability is a typo in the permission check for the /api/apps/logs and /api/apps/:id/logs endpoints. Because the required permission is not correctly verified, any authenticated user can access application engine logs, even if they do not possess the appropriate privileges. This flaw allows an attacker who can authenticate to the system to read potentially sensitive administrative logs, exposing configuration data, user activity, or other internal information that should be protected. The weakness is categorized as Improper Access Control (CWE\u2011284).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk. The EPSS score is less than 1\u2009%, implying a very low likelihood of exploitation under current conditions. The flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user, so the attack vector is internal or through social engineering that grants legitimate credentials. The impact is limited to information disclosure rather than code execution or denial of service."}}}}, "created": "2026-04-27T19:15:11.634425+00:00", "title": "Information Disclosure via Improper Permission Check on Rocket.Chat Apps-Engine Log Endpoints", "updated": "2026-04-28T20:30:06.192540+00:00", "vendors": ["rocket.chat", "rocket.chat$PRODUCT$rocket.chat"]}