This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+3 more
Affected surfaces
ReleasePort's take
Moderate signalThis patch release fixes several bugs and adds security hardening across APIs.
Why it matters: Fixes token cleanup on user deactivation, corrects API response issues, and validates access for translateMessage endpoints; relevant for developers maintaining Rocket.Chat integrations.
Summary
AI summaryUpdates Patch Changes, https://github.com/dionisio-bot, and https://github.com/RocketChat/Rocket.Chat/pull/40627 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Validates access and types for translateMessage Meteor method. Validates access and types for translateMessage Meteor method. Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Security | Medium |
Checks room access for autotranslate.translateMessage endpoint. Checks room access for autotranslate.translateMessage endpoint. Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Dependency | Medium |
Bump @rocket.chat/meteor version. Bump @rocket.chat/meteor version. Source: llm_adapter@2026-05-22 Confidence: low |
— |
| Dependency | Medium |
Updated dependencies: @rocket.chat/[email protected], @rocket.chat/[email protected], @rocket.chat/[email protected], @rocket.chat/[email protected]. Updated dependencies: @rocket.chat/[email protected], @rocket.chat/[email protected], @rocket.chat/[email protected], @rocket.chat/[email protected]. Source: llm_adapter@2026-05-22 Confidence: low |
— |
| Bugfix | Medium |
Ensures OAuth tokens are cleaned up after user deactivation. Ensures OAuth tokens are cleaned up after user deactivation. Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Bugfix | Medium |
Fixes users.presence endpoint returning empty array with multiple IDs after OpenAPI migration. Fixes users.presence endpoint returning empty array with multiple IDs after OpenAPI migration. Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Bugfix | Medium |
Ensures deactivated users have login tokens cleaned up in users.deactivateidle. Ensures deactivated users have login tokens cleaned up in users.deactivateidle. Source: llm_adapter@2026-05-22 Confidence: high |
— |
| Bugfix | Medium |
Removes visitor token from visitors.info response. Removes visitor token from visitors.info response. Source: llm_adapter@2026-05-22 Confidence: high |
— |
Full changelog
Engine versions
- Node:
22.22.2 - Deno:
2.3.1 - MongoDB:
8.0 - Apps-Engine:
1.62.0
Patch Changes
-
(#40627 by @dionisio-bot) Ensures OAuth tokens are cleaned up after user deactivation
-
Bump @rocket.chat/meteor version.
-
Bump @rocket.chat/meteor version.
-
(#40527 by @dionisio-bot) Fixes the
users.presenceendpoint returning an empty array when called with multiple comma-separated IDs, caused byajvQuerycoercing the string into a single-element array after the OpenAPI migration -
(#40559 by @dionisio-bot) Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle
-
(#40539 by @dionisio-bot) Ensures the Meteor method for translateMessage validates access and types
-
(#40577 by @dionisio-bot) Ensures the visitor token is not present in the visitors.info response
-
(#40547 by @dionisio-bot) Ensures the autotranslate.translateMessage endpoint checks for room access
-
Updated dependencies [b0c593db9bc0bbbb603e673ddcdc48aad4f4e721, f422eb613d8cae43dc1e44d71b6ecb5a0a9c5d92, 3a3f0e1103bd0b8aaf93c16300ed664aed7a67a1]:
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
- @rocket.chat/[email protected]
Security Fixes
- translateMessage endpoint now checks room access
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]