CVE-2022-35249 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 5.0. Rocket.Chat is an open-source team collaboration platform widely used for messaging within organizations. The vulnerability exists in the Meteor server method getUserMentionsByChannel, which is intended to retrieve user mentions within a specific channel. However, due to improper access control checks, this method discloses messages from private channels and direct messages even to users who do not have permission to access those rooms. This flaw violates the confidentiality principle by exposing sensitive communication data to unauthorized users. The vulnerability is classified under CWE-200 (Information Exposure) and has a CVSS v3.1 base score of 4.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) shows that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality only without affecting integrity or availability. There are no known exploits in the wild as of the published date, and the issue was fixed starting with Rocket.Chat version 5.0. The vulnerability arises from insufficient authorization checks in the server method, allowing authenticated users to access messages from private channels and direct messages they should not see. This could lead to leakage of sensitive organizational information, private conversations, or confidential data shared within restricted channels.

For European organizations using Rocket.Chat for internal communications, this vulnerability poses a significant risk to the confidentiality of sensitive information. Private channels and direct messages often contain proprietary business data, personal employee information, or strategic communications. Unauthorized disclosure of such information could lead to reputational damage, regulatory non-compliance (especially under GDPR, which mandates protection of personal data), and potential competitive disadvantage. Since the vulnerability requires an authenticated user, the risk is primarily from insider threats or compromised accounts. However, given that many organizations use Rocket.Chat for critical communications, even limited unauthorized access can have serious consequences. The medium CVSS score reflects that while the impact is limited to confidentiality and exploitation requires some privileges, the scope of affected data can be broad within an organization. European entities in sectors such as finance, healthcare, government, and technology, where sensitive communications are common, are particularly at risk. Additionally, the lack of known exploits in the wild suggests that proactive patching can effectively mitigate this threat before exploitation becomes widespread.

Organizations should immediately upgrade Rocket.Chat installations to version 5.0 or later, where this vulnerability has been addressed. Beyond patching, administrators should audit user permissions and access controls to ensure that only authorized personnel have access to private channels and direct messages. Implementing strict account management policies, including multi-factor authentication (MFA), can reduce the risk of account compromise that could lead to exploitation. Monitoring and logging access to sensitive channels can help detect anomalous behavior indicative of exploitation attempts. Additionally, organizations should conduct regular security assessments of their collaboration platforms to identify and remediate potential misconfigurations or vulnerabilities. For environments where immediate upgrading is not feasible, restricting access to the Meteor server methods or applying custom access control rules may serve as a temporary mitigation. Finally, educating users about the importance of safeguarding credentials and recognizing suspicious activity can further reduce risk.