Groundbreaking Security Analysis of Rocket.Chat at Black Hat Asia 2026

Significant Security Vulnerabilities Discovered in Rocket.Chat

In a remarkable achievement, a collaborative research team consisting of the National Institute of Information and Communications Technology (NICT), Osaka University, and NEC has performed the first-ever safety assessment of Rocket.Chat, a widely-used on-premise chat tool employed by around 12 million users worldwide. This assessment focused on the cryptographic methods utilized within the platform, employing a comprehensive approach that included specification analysis, implementation research, and proof of concept.

During this pioneering evaluation, the researchers uncovered several critical vulnerabilities related to message forgery, decryption of encrypted messages, and the prolonged nature of attacks. By designing hypothetical attack scenarios that exploit these vulnerabilities ahead of actual hackers, the team proactively developed countermeasures to enhance the security of the platform.

The significance of these findings will be presented at the prestigious Black Hat Asia 2026 Briefings, marking an important moment for both academia and industry in the realm of cybersecurity.

Background of the Research

Traditionally, commercial chat tools have mostly adopted the Software as a Service (SaaS) model, like Slack and Microsoft Teams, which rely heavily on service providers for data management and security. However, recent concerns regarding the management of sensitive corporate data, along with risks associated with utilizing foreign SaaS products, have prompted a shift. Organizations are increasingly opting for on-premise chat solutions, allowing them to host programs on their own servers to retain control over message and user data.

Rocket.Chat has gained attention in this landscape, particularly due to its implementation of end-to-end encryption for text messaging, which is crucial for handling high-security data. Despite its growing use among domestic and international corporations, the complexity of Rocket.Chat’s proprietary implementation had previously hindered adequate security validation, exposing users to uncharted vulnerabilities and the urgent need for remedial action.

The Research Findings

The evaluation carried out by the research team utilized an innovative safety analysis technique to carefully examine Rocket.Chat. The assessment revealed structural issues, such as insufficient coordination between multiple protocol designs, leading to vulnerabilities like message forgery and the decryption of encrypted messages. Furthermore, a lack of effective countermeasures for key leakage during both encryption and decryption processes contributed to the potential for prolonged attacks.

To elucidate the conditions under which these vulnerabilities could be exploited, the researchers crafted detailed attack scenarios and successfully validated their feasibility through proof of concept.

In May 2024, the results were reported to Rocket.Chat Technology, the company behind the platform. Collaboration began immediately, where researchers proposed solutions to mitigate the identified attacks and provided insights into overall protocol enhancements. Between October 2024 and December 2025, significant updates and patches addressing high-impact attack vectors were implemented, as acknowledged in their official release notes.

This endeavor reflects a significant contribution to preventing potential cyberattacks by addressing these vulnerabilities. Garnering high praise from both academic and industry circles, the research will be showcased at the Black Hat Asia 2026 Briefings in Singapore.

Future Directions

Building on this essential groundwork, the research team aims to continue evaluating the cryptographic methods employed in chat and messaging services, driving efforts to improve the security of next-generation communication tools.

Publication Details

- Authors: Hayato Kimura, Ryoma Ito, Kazuhiko Minematsu, and Takanori Isobe
- Paper Title: Gravity of the Situation: Security Analysis on Rocket.Chat E2EE
- Published In: The 41st Annual Computer Security Applications Conference (ACSAC 2025)
- URL: Link to Paper

Presentation Information

- Date: April 24, 2026
- Presenter: Hayato Kimura
- Contributors: Ryoma Ito, Kazuhiko Minematsu, and Takanori Isobe
- Presentation Title: Payload Compromised: Full Key Recovery in Rocket.Chat E2EE
- Conference: Black Hat Asia 2026 Briefings
- URL: Link to Conference