CVE-2022-32220 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 5.0.0. Rocket.Chat is an open-source team communication platform widely used for messaging within organizations. The vulnerability arises from the getUserMentionsByChannel Meteor server method, which improperly discloses messages from private channels and direct messages. Specifically, this method fails to enforce access control checks, allowing users with limited privileges (requiring only low privileges, no user interaction) to retrieve message content from rooms they do not have permission to access. This flaw violates confidentiality principles by exposing sensitive communications to unauthorized users. The vulnerability is rated with a CVSS 3.1 base score of 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. The attack vector is network-based with low attack complexity and requires privileges but no user interaction. The scope remains unchanged, meaning the vulnerability affects only the vulnerable component without extending to other components. No known exploits in the wild have been reported as of the publication date. The issue was addressed and fixed in Rocket.Chat version 5.0.0 and later releases.

For European organizations using Rocket.Chat versions prior to 5.0.0, this vulnerability poses a significant risk to the confidentiality of internal communications. Unauthorized disclosure of private channel messages and direct messages could lead to leakage of sensitive business information, intellectual property, or personal data protected under GDPR. This could result in reputational damage, regulatory penalties, and loss of trust among clients and partners. Since Rocket.Chat is often deployed in sectors requiring secure communications such as finance, healthcare, and government, the impact could be severe if exploited. The vulnerability does not affect message integrity or system availability, but the confidentiality breach alone is critical in environments handling sensitive or regulated data. The lack of known exploits reduces immediate risk, but the ease of exploitation and network accessibility means attackers could leverage this vulnerability if discovered independently.

European organizations should immediately verify their Rocket.Chat version and upgrade to version 5.0.0 or later, where this vulnerability is fixed. If upgrading is not immediately feasible, organizations should restrict access to Rocket.Chat servers to trusted networks and users, implement strict network segmentation, and monitor logs for unusual access patterns to private channels. Additionally, applying strict role-based access controls and auditing user permissions can reduce the risk of unauthorized access. Organizations should also consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious API calls related to getUserMentionsByChannel. Regular security assessments and penetration testing focusing on access control enforcement in Rocket.Chat deployments are recommended to identify any residual risks.