Rocket.Chat

v7.13.7 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 21d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

chat collaboration free javascript meteor mit

+3 more

real-time slack webrtc

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 13d

Rocket.Chat 7.13.7 hotfix modifies SAML login behavior to disable authentication when signature validation is misconfigured. Also fixes Slack message import corruption.

Why it matters: SAML login will be disabled if signature validation is misconfigured. Verify your SAML configuration and test authentication flows after upgrading.

Summary

AI summary

Security hotfix disables SAML login when signature validation is misconfigured.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Applies a security hotfix (see Rocket.Chat security fixes documentation). Applies a security hotfix (see Rocket.Chat security fixes documentation). Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Security	Medium	Disables SAML login when signatures are validated without proper configuration. Disables SAML login when signatures are validated without proper configuration. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Low	Updates multiple internal dependencies to newer versions. Updates multiple internal dependencies to newer versions. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Bugfix	Medium	Fixes Slack messages being incorrectly saved during import. Fixes Slack messages being incorrectly saved during import. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Engine versions

Node: 22.16.0
Deno: 1.43.5
MongoDB: 5, 6, 7, 8
Apps-Engine: 1.58.1

Patch Changes

Bump @rocket.chat/meteor version.
(#40418 by @dionisio-bot) Disables SAML login when it is set to validate signatures without the proper configuration for it
(#40435 by @dionisio-bot) Fixes Slack messages being incorrectly saved on import
(#40418 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
Updated dependencies [021ae9307703b299cf7ceff920ea1cd8abcce0b4]:
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]

Security Fixes

Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates) – disables SAML login when signature validation is improperly configured.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Rocket.Chat

Get notified when new releases ship.

About Rocket.Chat

The Secure CommsOS™ for mission-critical operations

All releases →