Rocket.Chat

v8.3.4 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 12d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

chat collaboration free javascript meteor mit

+3 more

real-time slack webrtc

Affected surfaces

auth rbac

ReleasePort's take

Light signal

editorial:auto 12d

ReleasePort Layer 1 version 8.3.4 adds OAuth token cleanup on user deactivation and enhances security validation for several APIs.

Why it matters: Fixes ensure OAuth tokens are removed after user deactivation, preventing orphaned credentials; validates access for translateMessage endpoints, mitigating unauthorized data exposure in the current release.

Summary

AI summary

Updates Patch Changes, https://github.com/dionisio-bot, and https://github.com/RocketChat/Rocket.Chat/pull/40628 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Validates access and types for Meteor method translateMessage Validates access and types for Meteor method translateMessage Source: llm_adapter@2026-05-22 Confidence: high	—
Security	Medium	Excludes visitor token from visitors.info response Excludes visitor token from visitors.info response Source: llm_adapter@2026-05-22 Confidence: high	—
Security	Medium	Checks room access for autotranslate.translateMessage endpoint Checks room access for autotranslate.translateMessage endpoint Source: llm_adapter@2026-05-22 Confidence: high	—
Dependency	Medium	Updates @rocket.chat/model-typings, @rocket.chat/models, @rocket.chat/core-typings, and @rocket.chat/rest-typings to latest versions Updates @rocket.chat/model-typings, @rocket.chat/models, @rocket.chat/core-typings, and @rocket.chat/rest-typings to latest versions Source: llm_adapter@2026-05-22 Confidence: low	—
Dependency	Medium	Bumps @rocket.chat/meteor version Bumps @rocket.chat/meteor version Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	Ensures OAuth tokens are cleaned up after user deactivation Ensures OAuth tokens are cleaned up after user deactivation Source: llm_adapter@2026-05-22 Confidence: high	—
Bugfix	Medium	Ensures deactivated users have their login tokens cleaned up in users.deactivateidle method Ensures deactivated users have their login tokens cleaned up in users.deactivateidle method Source: llm_adapter@2026-05-22 Confidence: high	—

Full changelog

Engine versions

Node: 22.16.0
Deno: 1.43.5
MongoDB: 8.0
Apps-Engine: 1.61.1

Patch Changes

(#40628 by @dionisio-bot) Ensures OAuth tokens are cleaned up after user deactivation
Bump @rocket.chat/meteor version.
(#40561 by @dionisio-bot) Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle
(#40540 by @dionisio-bot) Ensures the Meteor method for translateMessage validates access and types
(#40578 by @dionisio-bot) Ensures the visitor token is not present in the visitors.info response
(#40548 by @dionisio-bot) Ensures the autotranslate.translateMessage endpoint checks for room access
Updated dependencies [f5c50ca2ea991ef7bf4f41a0d05426df6ee98a03, ebf60544579f73cf113ba4efa5c29db0dc902999]:
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]

Security Fixes

Ensures OAuth tokens are removed after user deactivation (#40628)
Cleans up login tokens for deactivated users in users.deactivateidle (#40561)
Removes visitor token from visitors.info response (#40578)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Rocket.Chat

Get notified when new releases ship.

About Rocket.Chat

The Secure CommsOS™ for mission-critical operations

All releases →