This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+3 more
Affected surfaces
ReleasePort's take
Light signalVersion 8.2.4 fixes token‑cleanup bugs and hardens several APIs by adding validation checks.
Why it matters: Affects OAuth token cleanup, login token removal, translateMessage method, and visitors.info response; relevant for developers and security engineers managing authentication flows.
Summary
AI summaryUpdates Patch Changes, https://github.com/dionisio-bot, and https://github.com/RocketChat/Rocket.Chat/pull/40629 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Validates access and types for Meteor method translateMessage. Validates access and types for Meteor method translateMessage. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Security | Medium |
Excludes visitor token from visitors.info response. Excludes visitor token from visitors.info response. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Security | Medium |
Checks room access for autotranslate.translateMessage endpoint. Checks room access for autotranslate.translateMessage endpoint. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Dependency | Medium |
Updates multiple dependencies: @rocket.chat/model-typings, @rocket.chat/models, @rocket.chat/core-typings, @rocket.chat/rest-typings to 2.1.4 and 8.2.4 respectively. Updates multiple dependencies: @rocket.chat/model-typings, @rocket.chat/models, @rocket.chat/core-typings, @rocket.chat/rest-typings to 2.1.4 and 8.2.4 respectively. Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Dependency | Medium |
Bumps @rocket.chat/meteor version. Bumps @rocket.chat/meteor version. Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Dependency | Low |
Updates internal packages: model-typings, models to 2.1.4; core-typings, rest-typings to 8.2.4. Updates internal packages: model-typings, models to 2.1.4; core-typings, rest-typings to 8.2.4. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Bugfix | Medium |
Ensures OAuth tokens are cleaned up after user deactivation. Ensures OAuth tokens are cleaned up after user deactivation. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Ensures login tokens are removed for deactivated users in users.deactivateidle. Ensures login tokens are removed for deactivated users in users.deactivateidle. Source: llm_adapter@2026-05-23 Confidence: high |
— |
Full changelog
Engine versions
- Node:
22.16.0 - Deno:
1.43.5 - MongoDB:
8.0 - Apps-Engine:
1.60.1
Patch Changes
-
(#40629 by @dionisio-bot) Ensures OAuth tokens are cleaned up after user deactivation
-
Bump @rocket.chat/meteor version.
-
(#40564 by @dionisio-bot) Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle
-
(#40541 by @dionisio-bot) Ensures the Meteor method for translateMessage validates access and types
-
(#40579 by @dionisio-bot) Ensures the visitor token is not present in the visitors.info response
-
(#40549 by @dionisio-bot) Ensures the autotranslate.translateMessage endpoint checks for room access
-
Updated dependencies [776d43cf33bab90c2d173d95b2f9a26e8a333dbe, e0f8b66d728498e26586ced3630f29ad8d855bc0]:
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
Security Fixes
- OAuth token cleanup after user deactivation prevents lingering access
- Login token removal on user.deactivateidle stops unauthorized logins
- translateMessage endpoints now enforce room and type validation
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]