CVE-2022-32226 is an improper access control vulnerability identified in Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0.0. The root cause lies in the lack of type validation for input data in the Meteor server method getUsersOfRoom. Specifically, the method accepts MongoDB query operator objects instead of strictly requiring a room ID (rid) string. This flaw allows an attacker to craft a malicious query using a $regex operator, which bypasses the intended room access permission checks. Consequently, an attacker with at least limited privileges (since the CVSS vector indicates PR:L, meaning low privileges are required) can retrieve user lists from rooms they should not have access to, except for the first matching room. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS score of 4.3 (medium severity) reflects limited confidentiality impact (disclosure of user membership information), no integrity or availability impact, and relatively low complexity of exploitation. No known exploits are reported in the wild as of the publication date. The vulnerability is classified under CWE-284 (Improper Access Control), highlighting a failure to enforce proper authorization checks on sensitive operations. The issue was addressed by Rocket.Chat in versions 4.7.5, 4.8.2, and 5.0.0 by presumably enforcing stricter input validation and access control on the getUsersOfRoom method.

For European organizations using vulnerable versions of Rocket.Chat, this vulnerability poses a risk of unauthorized disclosure of user membership information within chat rooms. While it does not allow modification or deletion of data, leaking user lists can facilitate further targeted attacks such as social engineering, phishing, or reconnaissance for lateral movement. Organizations relying on Rocket.Chat for internal communications, especially those handling sensitive or regulated data, may face compliance risks under GDPR due to unauthorized access to user information. The impact is more pronounced in sectors with strict privacy requirements such as finance, healthcare, and government. Since the vulnerability requires only low privileges, an insider threat or compromised low-level user account could exploit it to gain unauthorized visibility into communication groups. However, the lack of known active exploitation and the medium severity rating suggest the immediate risk is moderate but should not be ignored.

European organizations should promptly upgrade Rocket.Chat instances to versions 4.7.5, 4.8.2, or 5.0.0 or later, where the vulnerability is fixed. Until upgrades are applied, organizations should restrict access to Rocket.Chat servers to trusted networks and enforce strict user authentication and role-based access controls to limit the number of users with access to the getUsersOfRoom functionality. Monitoring and logging access to Meteor server methods can help detect anomalous queries indicative of exploitation attempts. Additionally, organizations should review and harden their Rocket.Chat configuration to disable or restrict API methods that expose sensitive information. Conducting internal audits of user permissions and chat room memberships can reduce the potential impact of unauthorized data disclosure. Finally, educating users about the risks of phishing and social engineering can mitigate follow-on attacks that might leverage information obtained through this vulnerability.