Releases: RocketChat/Rocket.Chat
Release list
8.0.8
Engine versions
- Node:
22.16.0 - Deno:
1.43.5 - MongoDB:
8.2 - Apps-Engine:
1.59.1
Patch Changes
-
Bump @rocket.chat/meteor version.
-
(#41240 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41250 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41298 by @dionisio-bot) Ensures the
users.CreateTokenendpoint checks for theuser-generate-access-tokenpermission when generating a login token for another user -
(#41290 by @dionisio-bot) Ensures room permission checks are applied consistently regardless of how the room is identified when converting a channel to a team or creating a team from an existing room
-
Updated dependencies [1a604e2]:
- @rocket.chat/core-typings@8.0.8
- @rocket.chat/model-typings@2.0.8
- @rocket.chat/models@2.0.8
- @rocket.chat/abac@0.1.8
- @rocket.chat/federation-matrix@0.0.17
- @rocket.chat/license@1.1.15
- @rocket.chat/media-calls@0.2.8
- @rocket.chat/omnichannel-services@0.3.52
- @rocket.chat/pdf-worker@0.3.34
- @rocket.chat/presence@0.2.55
- @rocket.chat/api-client@0.2.55
- @rocket.chat/apps@0.6.8
- @rocket.chat/core-services@0.12.8
- @rocket.chat/cron@0.1.55
- @rocket.chat/fuselage-ui-kit@26.0.8
- @rocket.chat/gazzodown@26.0.8
- @rocket.chat/http-router@7.9.22
- @rocket.chat/message-types@0.1.0
- @rocket.chat/rest-typings@8.0.8
- @rocket.chat/ui-avatar@22.0.8
- @rocket.chat/ui-client@26.0.8
- @rocket.chat/ui-contexts@26.0.8
- @rocket.chat/ui-voip@16.0.8
- @rocket.chat/web-ui-registration@26.0.8
- @rocket.chat/omni-core-ee@0.0.20
- @rocket.chat/instance-status@0.1.55
- @rocket.chat/omni-core@0.0.20
- @rocket.chat/server-cloud-communication@0.0.2
- @rocket.chat/network-broker@0.2.34
- @rocket.chat/ui-theming@0.4.4
- @rocket.chat/ui-video-conf@26.0.8
8.6.1
Engine versions
- Node:
22.22.3 - Deno:
2.3.1 - MongoDB:
8.0 - Apps-Engine:
1.64.1
Patch Changes
-
Bump @rocket.chat/meteor version.
-
Bump @rocket.chat/meteor version.
-
(#41234 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41243 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41308 by @dionisio-bot) Fixes wrong FederationLookup type assigned to IUser in apps. The correct data is there, but the type does not represent it.
-
(#41292 by @dionisio-bot) Ensures the
users.CreateTokenendpoint checks for theuser-generate-access-tokenpermission when generating a login token for another user -
(#41276 by @dionisio-bot) Ensures room permission checks are applied consistently regardless of how the room is identified when converting a channel to a team or creating a team from an existing room
8.5.2
Engine versions
- Node:
22.22.3 - Deno:
2.3.1 - MongoDB:
8.0 - Apps-Engine:
1.63.0
Patch Changes
-
Bump @rocket.chat/meteor version.
-
Bump @rocket.chat/meteor version.
-
(#41235 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41244 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41293 by @dionisio-bot) Ensures the
users.CreateTokenendpoint checks for theuser-generate-access-tokenpermission when generating a login token for another user -
(#41277 by @dionisio-bot) Ensures room permission checks are applied consistently regardless of how the room is identified when converting a channel to a team or creating a team from an existing room
-
Updated dependencies [ac29d8a]:
- @rocket.chat/core-typings@8.5.2
- @rocket.chat/model-typings@2.3.1
- @rocket.chat/models@2.3.1
- @rocket.chat/rest-typings@8.5.2
8.4.5
Engine versions
- Node:
22.22.2 - Deno:
2.3.1 - MongoDB:
8.0 - Apps-Engine:
1.62.0
Patch Changes
-
Bump @rocket.chat/meteor version.
-
Bump @rocket.chat/meteor version.
-
(#41236 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41245 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41294 by @dionisio-bot) Ensures the
users.CreateTokenendpoint checks for theuser-generate-access-tokenpermission when generating a login token for another user -
(#41278 by @dionisio-bot) Ensures room permission checks are applied consistently regardless of how the room is identified when converting a channel to a team or creating a team from an existing room
-
Updated dependencies [bd53954]:
- @rocket.chat/core-typings@8.4.5
- @rocket.chat/model-typings@2.2.3
- @rocket.chat/models@2.2.3
- @rocket.chat/rest-typings@8.4.5
8.3.7
Engine versions
- Node:
22.16.0 - Deno:
1.43.5 - MongoDB:
8.0 - Apps-Engine:
1.61.1
Patch Changes
-
Bump @rocket.chat/meteor version.
-
(#41237 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41246 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41295 by @dionisio-bot) Ensures the
users.CreateTokenendpoint checks for theuser-generate-access-tokenpermission when generating a login token for another user -
(#41280 by @dionisio-bot) Ensures room permission checks are applied consistently regardless of how the room is identified when converting a channel to a team or creating a team from an existing room
-
Updated dependencies [c15e433]:
- @rocket.chat/core-typings@8.3.7
- @rocket.chat/model-typings@2.1.7
- @rocket.chat/models@2.1.7
- @rocket.chat/rest-typings@8.3.7
8.2.7
Engine versions
- Node:
22.16.0 - Deno:
1.43.5 - MongoDB:
8.0 - Apps-Engine:
1.60.1
Patch Changes
-
Bump @rocket.chat/meteor version.
-
(#41238 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41247 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41296 by @dionisio-bot) Ensures the
users.CreateTokenendpoint checks for theuser-generate-access-tokenpermission when generating a login token for another user -
(#41288 by @dionisio-bot) Ensures room permission checks are applied consistently regardless of how the room is identified when converting a channel to a team or creating a team from an existing room
-
Updated dependencies [20d752e]:
- @rocket.chat/core-typings@8.2.7
- @rocket.chat/model-typings@2.1.5
- @rocket.chat/models@2.1.5
- @rocket.chat/rest-typings@8.2.7
8.1.7
Engine versions
- Node:
22.16.0 - Deno:
1.43.5 - MongoDB:
8.2 - Apps-Engine:
1.59.2
Patch Changes
-
Bump @rocket.chat/meteor version.
-
(#41239 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41248 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41297 by @dionisio-bot) Ensures the
users.CreateTokenendpoint checks for theuser-generate-access-tokenpermission when generating a login token for another user -
(#41289 by @dionisio-bot) Ensures room permission checks are applied consistently regardless of how the room is identified when converting a channel to a team or creating a team from an existing room
-
Updated dependencies [4511f54]:
- @rocket.chat/core-typings@8.1.7
- @rocket.chat/model-typings@2.0.9
- @rocket.chat/models@2.0.9
- @rocket.chat/abac@0.1.9
- @rocket.chat/federation-matrix@0.0.18
- @rocket.chat/license@1.1.16
- @rocket.chat/media-calls@0.2.9
- @rocket.chat/omnichannel-services@0.3.53
- @rocket.chat/pdf-worker@0.3.35
- @rocket.chat/presence@0.2.56
- @rocket.chat/api-client@0.2.56
- @rocket.chat/apps@0.6.9
- @rocket.chat/core-services@0.12.9
- @rocket.chat/cron@0.1.56
- @rocket.chat/fuselage-ui-kit@27.0.7
- @rocket.chat/gazzodown@27.0.7
- @rocket.chat/http-router@7.9.23
- @rocket.chat/message-types@0.1.0
- @rocket.chat/rest-typings@8.1.7
- @rocket.chat/ui-avatar@23.0.7
- @rocket.chat/ui-client@27.0.7
- @rocket.chat/ui-contexts@27.0.7
- @rocket.chat/ui-voip@17.0.7
- @rocket.chat/web-ui-registration@27.0.7
- @rocket.chat/omni-core-ee@0.0.21
- @rocket.chat/instance-status@0.1.56
- @rocket.chat/omni-core@0.0.21
- @rocket.chat/server-cloud-communication@0.0.2
- @rocket.chat/network-broker@0.2.35
- @rocket.chat/ui-theming@0.4.4
- @rocket.chat/ui-video-conf@27.0.7
7.10.14
Engine versions
- Node:
22.16.0 - Deno:
1.43.5 - MongoDB:
5.0, 6.0, 7.0 - Apps-Engine:
1.55.3
Patch Changes
-
Bump @rocket.chat/meteor version.
-
(#41241 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41253 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
-
(#41291 by @dionisio-bot) Ensures room permission checks are applied consistently regardless of how the room is identified when converting a channel to a team or creating a team from an existing room
-
Updated dependencies [ff59bb4]:
- @rocket.chat/core-typings@7.10.14
- @rocket.chat/model-typings@1.7.14
- @rocket.chat/models@1.6.14
- @rocket.chat/license@1.0.42
- @rocket.chat/omnichannel-services@0.3.48
- @rocket.chat/pdf-worker@0.3.30
- @rocket.chat/presence@0.2.51
- @rocket.chat/api-client@0.2.51
- @rocket.chat/apps@0.5.30
- @rocket.chat/core-services@0.10.14
- @rocket.chat/cron@0.1.51
- @rocket.chat/freeswitch@1.2.38
- @rocket.chat/fuselage-ui-kit@22.0.14
- @rocket.chat/gazzodown@22.0.14
- @rocket.chat/http-router@7.9.18
- @rocket.chat/rest-typings@7.10.14
- @rocket.chat/ui-avatar@18.0.14
- @rocket.chat/ui-client@22.0.14
- @rocket.chat/ui-contexts@22.0.14
- @rocket.chat/web-ui-registration@22.0.14
- @rocket.chat/omni-core-ee@0.0.16
- @rocket.chat/instance-status@0.1.51
- @rocket.chat/omni-core@0.0.16
- @rocket.chat/server-cloud-communication@0.0.2
- @rocket.chat/network-broker@0.2.30
- @rocket.chat/ui-theming@0.4.3
- @rocket.chat/ui-video-conf@22.0.14
- @rocket.chat/ui-voip@12.0.14
8.6.0
Release 8.6.0
Release Date: July 3, 2026
Support Window: Supported until January 31, 2027
Summary
Security and Compliance
Security improvements, authentication changes, data protection, and vulnerability fixes.
This release adds Virtru as an external attribute store option for attribute-based access control, selectable under Administration > Settings > ABAC, and deactivates users locked out in LDAP or Active Directory during sync. Sign-in with Apple is hardened with full identity token validation, the Apps Engine package parser is protected against prototype pollution, file deletion and the workspace fingerprint endpoint now require proper authorization, HTML is escaped in message exports and emailed data downloads, and incoming webhook integrations receive a bundled security hotfix, including an SSRF-related fix. Expired sessions now redirect to the login page, unverified users can resend their confirmation email from the login screen, personal access tokens configured to bypass two-factor authentication are accepted correctly, and PDF downloads from encrypted rooms keep their original format and filename.
Messaging and Collaboration
Features and fixes related to messaging, channels, discussions, and communication workflows.
Voice calls can now be popped out into a separate floating window that keeps all call controls while you navigate the workspace, LibreTranslate is available as an auto-translation provider alongside Google, DeepL, and Microsoft, and a new rooms.join API endpoint lets users join any room type, including discussions. Automatic translation now also covers users who joined rooms before setting a language preference, and direct messages with deactivated users become read-only. Fixes improve voice calls accepted from the mobile lock screen, bot assignment after agents reach their simultaneous chat limit, attachment accessibility and descriptions, message search with invalid regular expressions, false "Room not found" errors after reconnection, thread scrolling and reply behavior, jump-to-message after refresh, and overall UI stability across room, team, and account views.
Platform and Extensibility
Developer platform, APIs, integrations, and application framework improvements.
A unified presence sync engine resolves user online status through a priority-based claim system with status expiration and previous-state restore, exposed via the users REST endpoint and Apps Engine user objects. Apps Engine room and user objects now include federation fields, a new endpoint removes custom sounds, and several REST endpoints were extended to mirror their deprecated DDP equivalents, which now log warnings and remain available until 9.0.0. Fixes address a server crash when a Marketplace app is updated twice in quick succession and a federation issue where editing or deleting a message stopped subsequent messages from syncing between servers.
Data, Storage, and Infrastructure
Database, performance, storage, and system-level improvements.
S3-compatible file uploads no longer fail when the region is empty or the bucket URL omits a scheme. Rooms open faster through parallelized and cached message-history loads, navbar search returns results sooner using cached subscriptions, and the Discussions list is virtualized for smoother scrolling and lower memory use on long lists.
Admin, Configuration, and Workspace Management
Administrative controls, configuration settings, and workspace management improvements.
Filipino (Tagalog) joins the available user and workspace language options, the workspace hashed URL now appears on the Manage > Workspace deployment card and in server startup logs, and avatar URL validation error messages preserve the exact URL submitted without additional encoding.
For further details, check out the release notes.
Engine versions
- Node:
22.22.3 - Deno:
2.3.1 - MongoDB:
8.0 - Apps-Engine:
1.64.0
Minor Changes
-
(#40826) Shows a confirmation modal when switching attribute store setting
-
(#40274) Adds the backend foundation for a unified presence engine with a priority-based claim system (internal > manual > external), status expiration, and previous state restore.
-
(#40634) Allows using Virtru as the attribute store for ABAC decisions.
Important
- When using virtru as the store, the internal attribute store is disabled.
- On switch, existing ABAC attributes from rooms will be removed. Rooms will continue to be private & no users will be removed until you add attributes again.
- Users are only allowed to see & edit rooms they have access to. Access decision is evaluated on Virtru
- A user/app with the
bypass-abac-store-validationpermission can assign any attributes to rooms, even if the user doesn't have them assigned on Virtru.
-
(#40900) Added LibreTranslate as a message auto-translation provider, alongside Google, DeepL and Microsoft. LibreTranslate can be self-hosted, enabling fully on-premise / offline message auto-translation. Configure the instance URL (and optional API key) under Admin → Settings → Message → Auto-Translate → LibreTranslate and select it as the Service Provider.
-
(#40532) Adds custom-sounds.delete API endpoint.
-
(#40711)
POST /v1/chat.deletenow accepts{ fileId, asUser? }as an alternative to{ msgId, roomId, asUser? }. WhenfileIdis provided the server resolves the owning message viaMessages.getMessageByFileIdbefore running the existing permission and deletion flow. -
(#40724) Added
POST /v1/e2e.requestSubscriptionKeys(replaces the deprecatede2e.requestSubscriptionKeysDDP method). Auth-gated, no body. Broadcastsnotify.e2e.keyRequestfor every encrypted room the caller is subscribed to without an E2E key, matching the DDP method's behavior. The legacy DDP method remains registered until 9.0.0 with a deprecation log pointing at the new route. -
(#40724) Added
POST /v1/im.blockUser(replaces the deprecatedblockUser/unblockUserDDP methods). Body is{ roomId, block: boolean }—block: trueblocks the other DM participant,block: falseunblocks. Auth-gated and per-room via theRoomMemberActions.BLOCKdirective (DM-only). Both legacy DDP methods remain registered until 9.0.0 with deprecation logs pointing at the new route. -
(#40724) Added
POST /v1/settingsfor batched admin setting updates (replaces the deprecatedsaveSettingsDDP method). Body is{ settings: { _id, value }[] }. The endpoint requires authentication, enforces 2FA (twoFactorRequired: true), and runs the same per-setting permission chain (edit-privileged-settingORmanage-selected-settings+ per-id permission) and audit/notify side effects the DDP method already performed. The legacy DDP method remains registered until 9.0.0 with a deprecation log pointing at the new route. -
(#40711)
GET /v1/spotlightnow mirrors the DDPspotlightmethod:- accepts optional
usernames(comma-separated string),type(JSON-encoded{ users?, mentions?, rooms?, includeFederatedRooms? }) andridquery params; - response items expose
nickname/outside(users) anduids/usernames/fname(rooms); statuson each user is now optional — outside/federated users were already being returned without one and the previous required-field schema rejected them asResponse validation failed;- the endpoint is no longer auth-gated, allowing anonymous-read flows (e.g.
Accounts_AllowAnonymousRead) to keep finding public channels through the navbar search.
- accepts optional
-
(#40711)
POST /v1/users.setPreferencesnow accepts an optionaldata.utcOffset(number) field. The value is stored at the user-document root viaUsers.setUtcOffset(not undersettings.preferences), matching what the legacyuserSetUtcOffsetDDP method did. -
(#40996) Added a new
rooms.joinREST endpoint that lets a user join any room type, replicating the behavior of the deprecatedjoinRoomDDP method. Unlikechannels.join, it resolves all room types through the sharedRoom.joinservice (access checks, join codes, federation and omnichannel rules). The client now usesrooms.joininstead ofchannels.join. -
(#40791) Exposes the
isFederatedandfederationfields for room and user objects in apps -
(#40202) Introduces popout functionality for voice calls
Patch Changes
-
(#40988) Added Tagalog (
tl) as a selectable interface language. It appears in the user's Account → Preferences → Localization → Language dropdown; interface strings fall back to English until translations are contributed (same approach as other not-yet-translated locales). -
Bump @rocket.chat/meteor version.
-
Bump @rocket.chat/meteor version.
-
Bump @rocket.chat/meteor version.
-
Bump @rocket.chat/meteor version.
-
(#40902) Fixes a memory leakage on the CodeM...
8.6.0-rc.3
Engine versions
- Node:
22.22.3 - Deno:
2.3.1 - MongoDB:
8.0 - Apps-Engine:
1.64.0-rc.0
Patch Changes
-
Bump @rocket.chat/meteor version.
-
Updated dependencies []:
- @rocket.chat/core-typings@8.6.0-rc.3
- @rocket.chat/rest-typings@8.6.0-rc.3