CVE-2023-28357 in Rocket.Chat
Summary
by MITRE • 05/12/2023
A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/06/2025
The vulnerability described in CVE-2023-28357 represents a critical access control flaw within the Rocket.Chat collaboration platform that fundamentally undermines the security model designed to protect private channel communications. This issue specifically affects the implementation of slash commands within the messaging system, where the order of access control checks creates an exploitable condition that allows unauthorized enumeration of channel membership. The vulnerability exists in the /mute command functionality, which is typically used to silence users within channels, but due to improper access control sequencing, it inadvertently exposes information about user membership in private channels.
The technical flaw stems from a flawed sequence in the access control validation process where the system first verifies channel membership before performing proper access control checks. This ordering creates a window of opportunity for authenticated users to exploit the system by attempting to execute the /mute command on users within channels they do not have access to. When such an attempt is made, the system reveals whether the target user exists within that channel, effectively leaking private channel membership information to unauthorized parties. This type of information disclosure vulnerability is classified under CWE-668, which specifically addresses "Exposure of Resource to Wrong Sphere" where resources are made available to entities that should not have access. The flaw demonstrates a classic case of insufficient authorization checking that violates fundamental security principles.
The operational impact of this vulnerability extends beyond simple information leakage, as it enables active enumeration attacks that can systematically map out private channel memberships across an organization. An attacker with access to the Rocket.Chat platform can repeatedly attempt to execute the /mute command on various users within channels they cannot access, building a comprehensive map of who participates in which private communications. This capability undermines the core privacy guarantees that private channels are designed to provide, potentially exposing sensitive conversations and user relationships. The vulnerability affects the confidentiality aspect of the CIA triad, as it allows unauthorized disclosure of information that should remain private. From an attacker's perspective, this information can be leveraged to plan more sophisticated social engineering attacks, identify key personnel within private channels, or map out organizational communication structures.
The implications of this vulnerability align with ATT&CK technique T1087.001 which covers "Account Discovery: Local Account" but in the context of channel membership enumeration rather than local accounts. This type of reconnaissance activity can serve as a precursor to more serious attacks, as it provides attackers with valuable intelligence about communication patterns and user relationships within an organization. The vulnerability also demonstrates weaknesses in the principle of least privilege, where users should only have access to resources they are explicitly authorized to access. Organizations using Rocket.Chat may find their private communication channels compromised, potentially leading to data breaches, insider threats, or targeted attacks against specific users within those channels. The enumeration capability could be automated, making it particularly dangerous as it allows for rapid and systematic discovery of private channel memberships without raising obvious alerts.
Mitigation strategies should focus on correcting the access control validation sequence to ensure proper authorization checks occur before any membership verification attempts. Organizations should implement immediate patches from Rocket.Chat that reorder the access control checks to prevent the leakage of channel membership information. Additional defensive measures include monitoring for unusual patterns of slash command usage, implementing rate limiting on command execution attempts, and ensuring that all access control mechanisms follow proper security design principles. The vulnerability highlights the importance of thorough security testing, particularly around access control logic, and demonstrates why security reviews should examine not just the presence of access controls but also their proper ordering and implementation. Regular security assessments and code reviews focusing on authorization flows can help prevent similar issues from emerging in other parts of the application. Organizations should also consider implementing network-level monitoring to detect and alert on suspicious command execution patterns that may indicate enumeration attempts.