Rocket.Chat logo

Rocket.Chat

Open-source team communication and collaboration platform

Alternative to: Slack, Microsoft Teams, Discord


About Versions (100)

8.3.0

2026-04-07

Summary

Security and Compliance

Security improvements, authentication changes, data protection, and vulnerability fixes.

We fixed three important security and authentication issues: GitHub OAuth now reliably retrieves a user’s email during login and signup, a critical flaw that could let specially crafted access_token query parameters bypass authentication on protected REST API endpoints has been patched, and Federation domain allow list enforcement has been corrected to properly block disallowed domains.

Messaging and Collaboration

Features and fixes related to messaging, channels, discussions, and communication workflows.

This release improves collaboration across the platform with stronger federation support, including user banning and unbanning, a banned users list, system messages, better remote profile syncing, and read receipts across federated rooms. It also adds beta screen sharing in voice calls and support for uploading multiple files in the message composer. Alongside these enhancements, it fixes several usability issues, including ordered lists starting at 0, Markdown documents displaying \n instead of line breaks, missing error feedback when agents reach the maximum chat limit, inconsistent formatting of federated usernames, message forwarding in password-protected public channels, and garbled Hebrew text in exported PDFs.

Platform and Extensibility

Developer platform, APIs, integrations, and application framework improvements.

This update expands API coverage and reliability by adding OpenAPI documentation and response validation for a broad set of endpoints, including E2E, chat, rooms, users, emoji, push, and status APIs. It also fixes parameter handling in the groups.history and livechat/rooms APIs, and improves push token registration to support more complete device and token data, including Apple VoIP push tokens for call notifications.

Data, Storage, and Infrastructure

Database, performance, storage, and system-level improvements.

This update improves federation reliability by adding circuit breakers and timeouts for unresponsive remote servers, and makes custom sound and emoji storage settings reactive so changes to storage type or filesystem path take effect immediately without requiring a server restart.

Admin, Configuration, and Workspace Management

Administrative controls, configuration settings, and workspace management improvements.

This update fixes an issue where APNs could incorrectly initialize in production mode even when Push_production was disabled, preventing certificate errors in development push setups, closes a permissions gap that allowed users without the Create Public Channels permission to make private teams public, and deprecates the Allow Anonymous Write setting in Accounts ahead of its removal in version 9.0.0.

For further details, check out the release notes.

Engine versions

  • Node: 22.16.0
  • Deno: 1.43.5
  • MongoDB: 8.0
  • Apps-Engine: 1.61.0

Minor Changes

  • (#39750) Adds support to name changes on federated rooms

  • (#39268) refactor(ui-kit): Remove UiKit deprecations

  • (#38978 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat autotranslate translateMessage API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation

  • (#37922) Introduces native screen sharing for internal voice calls. This feature is currently in beta and can be disabled through admin settings.

  • (#39225 by @sezallagwal) Add OpenAPI support for the chat.followMessage and chat.unfollowMessage API endpoints by migrating to a modern chained route definition syntax and utilizing AJV schemas for body and response validation.

  • (#39227 by @sezallagwal) Add OpenAPI support for the chat.starMessage and chat.unStarMessage API endpoints by migrating to a modern chained route definition syntax and utilizing AJV schemas for body and response validation.

  • (#38957 by @Verifieddanny) Migrated rooms.leave endpoint to new OpenAPI pattern with AJV validation

  • (#38549 by @Rohitgiri02) migrated rooms.delete endpoint to new OpenAPI pattern with AJV validation

  • (#39094 by @ahmed-n-abdeltwab) Adds OpenAPI support for the Rocket.Chat e2e.updateGroupKey endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • (#36402 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat users.getAvatarSuggestion API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • (#38881 by @smirk-dev) adds instances.get API endpoint to new chained pattern with response schemas

  • (#38883 by @smirk-dev) Migrates ldap.testConnection and ldap.testSearch REST API endpoints from legacy addRoute pattern to the new chained .post() API pattern with typed response schemas and AJV body validation (replacing Meteor check()).

  • (#38882 by @smirk-dev) Migrates presence.getConnections and presence.enableBroadcast REST API endpoints from legacy addRoute pattern to the new chained .get()/.post() API pattern with typed response schemas.

  • (#38610) Fixes Custom Sounds Contextualbar state and refresh behavior

  • (#36779 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat e2e.fetchMyKeys endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • (#39425) Adds support for multiple files in message composer, improving file upload experience

  • (#36916 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat custom-user-status.list API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation

  • (#39219 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat e2e endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • (#39678) Adds support for ban management in rooms, enabling authorized users to ban and unban members via UI and slash commands.

  • (#38610) Adds new custom-sounds.getOne REST endpoint to retrieve a single custom sound by _id and updates client to consume it.

  • (#40006) Removes the Federation beta callout as the feature leaves beta

Patch Changes

  • (#39492) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

  • (#39010) Fixes an authorization issue that allowed users to confirm uploads from other users

  • (#39092) Fixes main channel scroll position changing when jumping to a thread message from search

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • (#38531) Fixes a cross-resource access issue that allowed users to retrieve emojis from the Custom Sounds endpoint and sounds from the Custom Emojis endpoint when using the FileSystem storage mode.

  • (#39752) Fixes an issue on Federation where all domains ending with the pattern where being allowed to communicate, the feature is meant to work with a list, url by url

  • (#38662 by @TheRazorbill) Fixes wrong i18n key in RegisterWorkspace confirmation step so the text is translated instead of showing a missing key.

  • (#38983 by @copilot-swe-agent) Fixes incoming webhook messages ignoring literal \n escape sequences, and fixes the MarkdownText document variant not rendering newlines as line breaks.

  • (#39087) Fixes race condition causing duplicate open livechat rooms per visitor token.

  • (#39460) Fixes inconsistent username formatting causing ‘@@username’ for federated users

  • (#38989) chore(eslint): Upgrades ESLint and its configuration

  • (#39541) Fixes an issue when forwarding messages to a password-protected room.

  • (#39003) Fix marking a message as sent before the request finishes

  • (#36786 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat e2e.getUsersOfRoomWithoutKey endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • (#38932) Fixes version update banner showing outdated versions after server upgrade.

  • (#39461) Deprecates Anonymous write. Feature will be removed in version 9.0.0.

  • (#39545) Fixes the intermittent behavior where the “New messages” indicator appears incorrectly after the user sends a message

  • (#39753) Fixes an issue where emails were not saved for users logging in via the GitHub OAuth provider.

  • (#39491) Fixes calendar events modifying the wrong status property when attempting to sync busy status.

  • (#39054) Fixes a mismatch in the room icons on the sidebar items, ABAC Managed rooms were not displaying the correct icon

  • (#38760 by @Khizarshah01) Limits Outgoing webhook maximum response size to 10mb.

  • (#39612) Fixes the download of attachments with non-unicode names on E2EE rooms

  • (#36882 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat push.test API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • (#39718) Fixes an issue where, sometimes, updatedAt was not being set during the subscription creation

  • (#39557) Fixes main team channels being able to be converted into public or private with only the create-team-channel or create-team-group (the correct permission for main teams are create-c and create-p)

  • (#39559 by @copilot-swe-agent) Splits the single AJV validator instance into two: ajv (coerceTypes: false) for request body validation and ajvQuery (coerceTypes: true) for query parameter validation.

    Why this matters: Previously, a single AJV instance with coerceTypes: true was used everywhere. This silently accepted values with wrong types — for example, sending { "rid": 12345 } (number) where a string was expected would pass validation because 12345 was coerced to "12345". With this change, body validation is now strict: the server will reject payloads with incorrect types instead of silently coercing them.

    What may break for API consumers:

    • Numeric values sent as strings in POST/PUT/PATCH bodies (e.g., { "count": "10" } instead of { "count": 10 }) will now be rejected. Ensure JSON bodies use proper types.
    • Boolean values sent as strings in bodies (e.g., { "readThreads": "true" } instead of { "readThreads": true }) will now be rejected.
    • null values where a string is expected (e.g., { "name": null } for a type: 'string' field without nullable: true) will no longer be coerced to "".

    No change for query parameters: GET query params (e.g., ?count=10&offset=0) continue to be coerced via ajvQuery, since HTTP query strings are always strings.

  • (#39250) Fixes inquiries.take not failing when attempting to take a chat while over chat limits

  • (#38852) Fixes an issue where Production flag was not being respected when initializing Push Notifications configuration

  • (#39363 by @gauravsingh001-cyber) Fixes “Join” button on Outlook Calendar bubbling click event, also opening the calendar event details.

  • (#38944 by @Khizarshah01) Limits Omnichannel webhook maximum response size to 10mb.

  • (#38954) Fixes reactivity of Custom Sounds and Custom Emojis storage settings

  • (#35995 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat rooms.favorite APIs endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • (#39505) Fixes ssrf validation for oauth endpoints, which allows internal endpoints to be used during the auth flow.

  • (#36523 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat emoji-custom.create API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • (#36953 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat commands.get API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • (#38974 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat dm.close/im.close API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.

  • Updated dependencies [602b20a8c570b895eb296ecfe39c9b7fcb12fabd, e2068892bf1ffc88b15ab71ad743cf84e5d31ed5, e65b1764aad1ece3d770599e2ba0e216f41457cf, 6b80941a610085bac643d6958f6efa7c018f4bdf, d1bf2cc675e80403659d388a1fbbdc6f73889dad, 02b1e6e6a184850d21e335077ca30382a1c7a66b, 9a70095296dbf516b0113a9a65e09f25137b2eaf, cd2fc208d351032c0b729755af4886665dca08b6, 87f9262af4a543d52642a54e1ef546d509a79e23, a4e3c1635d55ec4ce04cbde741426770e43581fb, 652ff8cfe26b9068a776c39132c0eb5440702894, 539659af22bc19880eda047dfc0b152472ccb65c, b1b1d6ccd81c90d231a7e594f834965c6e5f4fae, 1741a20dd86c353755becfc706cd9ad63df09cfa, 5518503736b72674753e711ba4089d177ab988a5, a4341ec67d1f0413f30bbabfd292d1b0a41728b2, 40253146de8d8f83737e71b0ade7c67e0c295a28, 85c0ac7d8c7a5b7b89ef58f4a42b18467a8e2dd4, 803b8075514de54c9ff34ba0c9aa3ee5fc3bbe61, 1361a1f4f1e3c0cc3f2a191cef8eccc12a714cde, c217b0bde182e5f76dbe1892d9b37d61ffab71db, 2a2701098536b32143003be8d267891978c708c9, 78e37dc3deae4ff05f5e33f9134c7094fd6c1330, 37acece030bc9f39bdaa86ab0130eb818332033e, 43d0cfc6a70e8a31d5f3d24162216dae6b07efdd, d8baf395181b70fef9ce448eb509f65b66049615, ddc0ed34b03072362d166f1160104a9332b362e8, d83a1a9753464ee916845b3c88757bbcf76884a5, eae3fb3136bd0b48294c050a71b0a36d05ca02b0, 4c2e444216efd514ab406fe8e9cd127ef971d566, 722df6f60bc86c51b204e28a39acb3dc8710bdeb, 78b3fe3ef20e3a545b84551ba3f85cb40e862ba7, 98a6c58a38c053c60db2b4d53a9df0e94fecf0ba, 29b453e1def8092a8d78c28736e2bfb24229717b, 788c161bb6c9544bec37034c93e2f60de1a6c316, 39f2e87e1caa6842e69155f033205cfdc4767b9e, c117492ad90d291a361eedc929506f557495caf7, 7c7324184589a15bf3e67b4f0c1cc222f8d48db3]:
    • @rocket.chat/model-typings@2.1.2
    • @rocket.chat/models@2.1.2
    • @rocket.chat/federation-matrix@0.1.0
    • @rocket.chat/message-parser@0.31.35
    • @rocket.chat/fuselage-ui-kit@29.0.0
    • @rocket.chat/ui-kit@1.0.0
    • @rocket.chat/apps-engine@1.61.0
    • @rocket.chat/rest-typings@8.3.0
    • @rocket.chat/i18n@2.2.0
    • @rocket.chat/ui-voip@19.0.0
    • @rocket.chat/server-cloud-communication@0.0.3
    • @rocket.chat/omnichannel-services@0.3.50
    • @rocket.chat/web-ui-registration@29.0.0
    • @rocket.chat/network-broker@0.2.32
    • @rocket.chat/password-policies@0.1.1
    • @rocket.chat/omni-core-ee@0.0.18
    • @rocket.chat/instance-status@0.1.53
    • @rocket.chat/media-signaling@0.2.0
    • @rocket.chat/patch-injection@0.0.2
    • @rocket.chat/media-calls@0.3.0
    • @rocket.chat/pdf-worker@0.3.32
    • @rocket.chat/account-utils@0.0.3
    • @rocket.chat/core-services@0.13.2
    • @rocket.chat/message-types@0.1.1
    • @rocket.chat/mongo-adapter@0.0.3
    • @rocket.chat/ui-video-conf@29.0.0
    • @rocket.chat/cas-validate@0.0.4
    • @rocket.chat/core-typings@8.3.0
    • @rocket.chat/server-fetch@0.1.2
    • @rocket.chat/presence@0.2.53
    • @rocket.chat/http-router@7.9.20
    • @rocket.chat/poplib@0.0.3
    • @rocket.chat/ui-composer@0.6.0
    • @rocket.chat/ui-contexts@29.0.0
    • @rocket.chat/license@1.1.13
    • @rocket.chat/api-client@0.2.53
    • @rocket.chat/log-format@0.0.3
    • @rocket.chat/gazzodown@29.0.0
    • @rocket.chat/omni-core@0.0.18
    • @rocket.chat/ui-avatar@25.0.0
    • @rocket.chat/ui-client@29.0.0
    • @rocket.chat/abac@0.1.6
    • @rocket.chat/favicon@0.0.5
    • @rocket.chat/tracing@0.0.2
    • @rocket.chat/agenda@0.1.1
    • @rocket.chat/base64@1.0.14
    • @rocket.chat/logger@1.0.1
    • @rocket.chat/random@1.2.3
    • @rocket.chat/sha256@1.0.13
    • @rocket.chat/tools@0.2.5
    • @rocket.chat/apps@0.6.6
    • @rocket.chat/cron@0.1.53
    • @rocket.chat/jwt@0.2.1