This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+3 more
Affected surfaces
Summary
AI summaryUpdates Patch Changes, https://github.com/dionisio-bot, and https://github.com/RocketChat/Rocket.Chat/pull/40633 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Dependency | Low |
Bumps @rocket.chat/meteor version. Bumps @rocket.chat/meteor version. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Dependency | Low |
Updates multiple internal packages to newer versions. Updates multiple internal packages to newer versions. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Medium |
Cleans up OAuth tokens after user deactivation. Cleans up OAuth tokens after user deactivation. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Medium |
Removes visitor token from visitors.info response. Removes visitor token from visitors.info response. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Medium |
Validates access and types for translateMessage Meteor method. Validates access and types for translateMessage Meteor method. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Medium |
Checks room access on autotranslate.translateMessage endpoint. Checks room access on autotranslate.translateMessage endpoint. Source: llm_adapter@2026-05-25 Confidence: high |
— |
Full changelog
Engine versions
- Node:
22.16.0 - Deno:
1.43.5 - MongoDB:
5.0, 6.0, 7.0 - Apps-Engine:
1.55.3
Patch Changes
-
(#40633 by @dionisio-bot) Ensures OAuth tokens are cleaned up after user deactivation
-
Bump @rocket.chat/meteor version.
-
(#40570 by @dionisio-bot) Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle
-
(#40546 by @dionisio-bot) Ensures the Meteor method for translateMessage validates access and types
-
(#40583 by @dionisio-bot) Ensures the visitor token is not present in the visitors.info response
-
(#40553 by @dionisio-bot) Ensures the autotranslate.translateMessage endpoint checks for room access
-
Updated dependencies [1d6d62250ea310c2816e4722e03a484d73fd82b6, efeacccbf2a2cb64fa38ba58edbbc82744f68f92]:
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
Security Fixes
- OAuth tokens cleaned up after user deactivation (PR #40633)
- Visitor token removed from visitors.info response (PR #40583)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]