{"api_version":"1","generated_at":"2026-04-24T13:41:35+00:00","cve":"CVE-2026-29197","urls":{"html":"https://cve.report/CVE-2026-29197","api":"https://cve.report/api/cve/CVE-2026-29197.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-29197","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-29197"},"summary":{"title":"CVE-2026-29197","description":"In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.","state":"PUBLISHED","assigner":"hackerone","published_at":"2026-04-24 00:16:27","updated_at":"2026-04-24 00:16:27"},"problem_types":["CWE-284","CWE-284 CWE-284 Improper Access Control - Generic"],"metrics":[],"references":[{"url":"https://github.com/RocketChat/Rocket.Chat/pull/40125","name":"https://github.com/RocketChat/Rocket.Chat/pull/40125","refsource":"support@hackerone.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://hackerone.com/reports/3589551","name":"https://hackerone.com/reports/3589551","refsource":"support@hackerone.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-29197","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29197","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Rocket.Chat","product":"Rocket.Chat","version":"affected 8.4.0 8.4.0 semver","platforms":[]},{"source":"CNA","vendor":"Rocket.Chat","product":"Rocket.Chat","version":"affected 8.3.2 8.3.2 semver","platforms":[]},{"source":"CNA","vendor":"Rocket.Chat","product":"Rocket.Chat","version":"affected 8.2.2 8.2.2 semver","platforms":[]},{"source":"CNA","vendor":"Rocket.Chat","product":"Rocket.Chat","version":"affected 8.1.3 8.1.3 semver","platforms":[]},{"source":"CNA","vendor":"Rocket.Chat","product":"Rocket.Chat","version":"affected 8.0.4 8.0.4 semver","platforms":[]},{"source":"CNA","vendor":"Rocket.Chat","product":"Rocket.Chat","version":"affected 7.13.6 7.13.6 semver","platforms":[]},{"source":"CNA","vendor":"Rocket.Chat","product":"Rocket.Chat","version":"affected 7.12.7 7.12.7 semver","platforms":[]},{"source":"CNA","vendor":"Rocket.Chat","product":"Rocket.Chat","version":"affected 7.11.7 7.11.7 semver","platforms":[]},{"source":"CNA","vendor":"Rocket.Chat","product":"Rocket.Chat","version":"affected 7.10.10 7.10.10 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Rocket.Chat","vendor":"Rocket.Chat","versions":[{"lessThan":"8.4.0","status":"affected","version":"8.4.0","versionType":"semver"},{"lessThan":"8.3.2","status":"affected","version":"8.3.2","versionType":"semver"},{"lessThan":"8.2.2","status":"affected","version":"8.2.2","versionType":"semver"},{"lessThan":"8.1.3","status":"affected","version":"8.1.3","versionType":"semver"},{"lessThan":"8.0.4","status":"affected","version":"8.0.4","versionType":"semver"},{"lessThan":"7.13.6","status":"affected","version":"7.13.6","versionType":"semver"},{"lessThan":"7.12.7","status":"affected","version":"7.12.7","versionType":"semver"},{"lessThan":"7.11.7","status":"affected","version":"7.11.7","versionType":"semver"},{"lessThan":"7.10.10","status":"affected","version":"7.10.10","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-284","description":"CWE-284 Improper Access Control - Generic","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-23T23:19:40.722Z","orgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","shortName":"hackerone"},"references":[{"url":"https://hackerone.com/reports/3589551"},{"url":"https://github.com/RocketChat/Rocket.Chat/pull/40125"}]}},"cveMetadata":{"assignerOrgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","assignerShortName":"hackerone","cveId":"CVE-2026-29197","datePublished":"2026-04-23T23:19:40.722Z","dateReserved":"2026-03-04T15:00:09.266Z","dateUpdated":"2026-04-23T23:19:40.722Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-24 00:16:27","lastModifiedDate":"2026-04-24 00:16:27","problem_types":["CWE-284","CWE-284 CWE-284 Improper Access Control - Generic"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"29197","Ordinal":"1","Title":"CVE-2026-29197","CVE":"CVE-2026-29197","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"29197","Ordinal":"1","NoteData":"In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.","Type":"Description","Title":"CVE-2026-29197"}]}}}