CVE-2026-29197_CVE-2026-29197

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.

Basic Information

ID CVE-2026-29197

Source hackerone

Published Apr 23, 2026 at 23:19

Modified Apr 24, 2026 at 14:18

Affected Product

Vendor Rocket.Chat

Product Rocket.Chat

Version 8.4.0

Affected Versions Rocket.Chat Rocket.Chat 8.4.0
Rocket.Chat Rocket.Chat 8.3.2
Rocket.Chat Rocket.Chat 8.2.2
Rocket.Chat Rocket.Chat 8.1.3
Rocket.Chat Rocket.Chat 8.0.4
Rocket.Chat Rocket.Chat 7.13.6
Rocket.Chat Rocket.Chat 7.12.7
Rocket.Chat Rocket.Chat 7.11.7
Rocket.Chat Rocket.Chat 7.10.10

CWE Classification

CWE-284

References

{
    "lastseen": "",
    "description": "In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.",
    "published": "2026-04-23T23:19:40.722Z",
    "modified": "2026-04-24T14:18:07.117Z",
    "type": "cve",
    "title": "CVE-2026-29197",
    "source": "hackerone",
    "references": "https://hackerone.com/reports/3589551\nhttps://github.com/RocketChat/Rocket.Chat/pull/40125",
    "id": "CVE-2026-29197",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "Rocket.Chat Rocket.Chat 8.4.0\nRocket.Chat Rocket.Chat 8.3.2\nRocket.Chat Rocket.Chat 8.2.2\nRocket.Chat Rocket.Chat 8.1.3\nRocket.Chat Rocket.Chat 8.0.4\nRocket.Chat Rocket.Chat 7.13.6\nRocket.Chat Rocket.Chat 7.12.7\nRocket.Chat Rocket.Chat 7.11.7\nRocket.Chat Rocket.Chat 7.10.10",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Rocket.Chat",
    "version": "8.4.0",
    "vendor": "Rocket.Chat",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}