Predictable MongoDB ObjectIds leak Rocket.Chat files
An unauthenticated file-access vulnerability in Rocket.Chat allows remote attackers to download user-uploaded files due to predictable MongoDB ObjectIds. The flaw, resolved in recent updates, stems from a lack of room-level authorization checks combined with low-entropy identifiers.
Using MongoDB's `ObjectId()` as a primary identifier for sensitive public resources is a classic security anti-pattern, but the critical failure here lies in relying on identifier obscurity in place of robust, stateful authorization checks.
- –MongoDB ObjectIds have very low entropy because they encode timestamps and predictable, process-specific incrementing counters.
- –By exposing an unauthenticated file upload endpoint via the Livechat widget, Rocket.Chat unwittingly allowed attackers to obtain the exact "anchor" ID needed to calculate the static seed values.
- –Asynchronous exploit scripts (using libraries like `httpx`) make it trivial to perform highly targeted brute-forcing of the remaining variable spaces (timestamp and counter offset) in near-real-time.
- –The patch correctly addresses the root cause of the IDOR by mapping the file to a Room ID and strictly validating that the requesting client is authorized to access that room.
- –Security-minded developers should generate cryptographically secure random identifiers (such as UUIDv4) for all user-accessible records to ensure defense-in-depth.
DISCOVERED
1h ago
2026-07-07
PUBLISHED
2h ago
2026-07-07
RELEVANCE
AUTHOR
AikidoSecurity