CVE-2026-29197 PUBLISHED

Assigner: hackerone
Reserved: 04.03.2026 Published: 23.04.2026 Updated: 23.04.2026

In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.

Product Status

Vendor	Rocket.Chat
Product	Rocket.Chat
Versions	Default: unaffected affected from 8.4.0 to 8.4.0 (excl.) affected from 8.3.2 to 8.3.2 (excl.) affected from 8.2.2 to 8.2.2 (excl.) affected from 8.1.3 to 8.1.3 (excl.) affected from 8.0.4 to 8.0.4 (excl.) affected from 7.13.6 to 7.13.6 (excl.) affected from 7.12.7 to 7.12.7 (excl.) affected from 7.11.7 to 7.11.7 (excl.) affected from 7.10.10 to 7.10.10 (excl.)

References

https://hackerone.com/reports/3589551
https://github.com/RocketChat/Rocket.Chat/pull/40125

Problem Types

CWE-284 Improper Access Control - Generic CWE