8.6.0-rc.2

Engine versions

• Node: 22.22.3
• Deno: 2.3.1
• MongoDB: 8.0
• Apps-Engine: 1.64.0-rc.0

Patch Changes

• Bump @rocket.chat/meteor version.

• Updated dependencies []:

  • @rocket.chat/core-typings@8.6.0-rc.2
  • @rocket.chat/rest-typings@8.6.0-rc.2

8.6.0-rc.1

Engine versions

• Node: 22.22.3
• Deno: 2.3.1
• MongoDB: 8.0
• Apps-Engine: 1.64.0-rc.0

Patch Changes

• Bump @rocket.chat/meteor version.

• (#41057) Fixes incoming integrations inability of reaching internal hosts by adding "ignoreSsrfValidation: true" to it

• (#41046) Fixes an issue where editing or deleting a message in a federated room caused subsequent messages to stop syncing between servers

  Note: this prevents the issue from happening, but does not restore rooms that are already affected. Recovering those requires a separate, one-time repair.

• (#41065) Fixes REST API endpoints that require two-factor authentication (such as users.update) rejecting requests authenticated with a Personal Access Token created with "Ignore Two Factor Authentication", returning totp-required even though the token was meant to bypass the check. The two-factor authorization check now resolves the login token from the REST connection, so bypassTwoFactor tokens are honored again.

• Updated dependencies [308e1c5, 6fa5378, 5d5edd8, 9861932]:

  • @rocket.chat/federation-matrix@0.1.5-rc.1
  • @rocket.chat/core-typings@8.6.0-rc.1
  • @rocket.chat/media-signaling@1.1.0-rc.1
  • @rocket.chat/ui-voip@22.0.0-rc.1
  • @rocket.chat/rest-typings@8.6.0-rc.1

8.6.0-rc.0

Engine versions

• Node: 22.22.3
• Deno: 2.3.1
• MongoDB: 8.0
• Apps-Engine: 1.64.0-rc.0

Minor Changes

• (#40826) Shows a confirmation modal when switching attribute store setting

• (#40274) Adds the backend foundation for a unified presence engine with a priority-based claim system (internal > manual > external), status expiration, and previous state restore.

• (#40634) Allows using Virtru as the attribute store for ABAC decisions.

  Important

  • When using virtru as the store, the internal attribute store is disabled.
  • On switch, existing ABAC attributes from rooms will be removed. Rooms will continue to be private & no users will be removed until you add attributes again.
  • Users are only allowed to see & edit rooms they have access to. Access decision is evaluated on Virtru
  • A user/app with the bypass-abac-store-validation permission can assign any attributes to rooms, even if the user doesn't have them assigned on Virtru.

• (#40900) Added LibreTranslate as a message auto-translation provider, alongside Google, DeepL and Microsoft. LibreTranslate can be self-hosted, enabling fully on-premise / offline message auto-translation. Configure the instance URL (and optional API key) under Admin → Settings → Message → Auto-Translate → LibreTranslate and select it as the Service Provider.

• (#40532) Adds custom-sounds.delete API endpoint.

• (#40711) POST /v1/chat.delete now accepts { fileId, asUser? } as an alternative to { msgId, roomId, asUser? }. When fileId is provided the server resolves the owning message via Messages.getMessageByFileId before running the existing permission and deletion flow.

• (#40724) Added POST /v1/e2e.requestSubscriptionKeys (replaces the deprecated e2e.requestSubscriptionKeys DDP method). Auth-gated, no body. Broadcasts notify.e2e.keyRequest for every encrypted room the caller is subscribed to without an E2E key, matching the DDP method's behavior. The legacy DDP method remains registered until 9.0.0 with a deprecation log pointing at the new route.

• (#40724) Added POST /v1/im.blockUser (replaces the deprecated blockUser / unblockUser DDP methods). Body is { roomId, block: boolean } — block: true blocks the other DM participant, block: false unblocks. Auth-gated and per-room via the RoomMemberActions.BLOCK directive (DM-only). Both legacy DDP methods remain registered until 9.0.0 with deprecation logs pointing at the new route.

• (#40724) Added POST /v1/settings for batched admin setting updates (replaces the deprecated saveSettings DDP method). Body is { settings: { _id, value }[] }. The endpoint requires authentication, enforces 2FA (twoFactorRequired: true), and runs the same per-setting permission chain (edit-privileged-setting OR manage-selected-settings + per-id permission) and audit/notify side effects the DDP method already performed. The legacy DDP method remains registered until 9.0.0 with a deprecation log pointing at the new route.

• (#40711) GET /v1/spotlight now mirrors the DDP spotlight method:

  • accepts optional usernames (comma-separated string), type (JSON-encoded { users?, mentions?, rooms?, includeFederatedRooms? }) and rid query params;
  • response items expose nickname / outside (users) and uids / usernames / fname (rooms);
  • status on each user is now optional — outside/federated users were already being returned without one and the previous required-field schema rejected them as Response validation failed;
  • the endpoint is no longer auth-gated, allowing anonymous-read flows (e.g. Accounts_AllowAnonymousRead) to keep finding public channels through the navbar search.

• (#40711) POST /v1/users.setPreferences now accepts an optional data.utcOffset (number) field. The value is stored at the user-document root via Users.setUtcOffset (not under settings.preferences), matching what the legacy userSetUtcOffset DDP method did.

• (#40996) Added a new rooms.join REST endpoint that lets a user join any room type, replicating the behavior of the deprecated joinRoom DDP method. Unlike channels.join, it resolves all room types through the shared Room.join service (access checks, join codes, federation and omnichannel rules). The client now uses rooms.join instead of channels.join.

• (#40791) Exposes the isFederated and federation fields for room and user objects in apps

• (#40202) Introduces popout functionality for voice calls

Patch Changes

• (#40988) Added Tagalog (tl) as a selectable interface language. It appears in the user's Account → Preferences → Localization → Language dropdown; interface strings fall back to English until translations are contributed (same approach as other not-yet-translated locales).

• (#40902) Fixes a memory leakage on the CodeMirror component (used by code-typed settings)

• (#40759) Fixes S3 file upload failing when the region setting is empty or the endpoint is configured without a URL scheme

• (#40702) Fixes users.sendConfirmationEmail rejecting unauthenticated requests, which prevented unverified users from resending their verification email from the login screen

• (#40992) Fixes auto-translate not activating for users who set their language preference after joining rooms

• (#40711) Migrate six client DDP callers to their REST equivalents (the DDP methods stay registered on the server for external SDK/mobile clients, with a deprecation log pointing at the REST route until 9.0.0 removes them):

  • loadMissedMessages → GET /v1/chat.syncMessages
  • joinRoom → POST /v1/channels.join (channel-only; non-c rooms now error via REST the same way they used to via DDP)
  • userSetUtcOffset → POST /v1/users.setPreferences (new utcOffset field)
  • deleteFileMessage → POST /v1/chat.delete (new fileId body shape)
  • spotlight → GET /v1/spotlight (new usernames / type / rid query params)
  • listCustomSounds → GET /v1/custom-sounds.list

• (#40724) Migrate four client DDP callers to their REST equivalents (the DDP methods stay registered on the server for external SDK/mobile clients, with a deprecation log pointing at the REST route until 9.0.0 removes them):

  • deleteCustomSound → POST /v1/custom-sounds.delete
  • blockUser / unblockUser → POST /v1/im.blockUser (single toggle with { roomId, block: boolean })
  • saveSettings → POST /v1/settings
  • e2e.requestSubscriptionKeys → POST /v1/e2e.requestSubscriptionKeys

• (#41017) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#40767) Fixes an issue that allowed users to create a DM and send messages to a deactivated account

• (#40857) Fixes non-deterministic comparator in team's channel desertion table

• (#41009) Fixes an issue where updating an app in quick succession could crash the server.

• (#40788) Fixes error handling when using invalid regular expressions on message search

• (#41007) Fixes the message list shifting when typing in the fully expanded message composer

• (#40802) Escapes HTML tags in exported data

• (#40982) Fixes an issue with embedded layout where users were able to receive VideoConf calls, causing the application to crash

• (#40996) Fixed the "not subscribed" room screen not updating after joining a room. The join mutation invalidated a stale React Query key that no longer matched the open-room query, so the UI kept showing the join prompt until a manual page refresh. It now invalidates the correct rooms reference key, so the room opens immediately after joining.

• (#40719 by @copilot-swe-agent) Fixes an issue that caused the UI to attempt to mark an unserved livechat room as read

• (#41009) Fixes an issue where an app's bot user presence was incorrectly shown as Offline after updating it.

• (#40849) Fixes the behavior when the login token expires to redirect the user to the login page

• ([#40842](https://github.com...

8.5.1

Engine versions

• Node: 22.22.3
• Deno: 2.3.1
• MongoDB: 8.0
• Apps-Engine: 1.63.0

Patch Changes

• Bump @rocket.chat/meteor version.

• Bump @rocket.chat/meteor version.

• (#40917 by @dionisio-bot) Escapes HTML tags in exported data

• (#40891 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#40904 by @dionisio-bot) Fixes missing permission check on the POST /api/v1/fingerprint endpoint

• (#40938 by @dionisio-bot) Fixes an issue where description was incorrectly being used as alternative text for image attachments

• Updated dependencies [01a1846]:

  • @rocket.chat/federation-matrix@0.1.5
  • @rocket.chat/core-typings@8.5.1
  • @rocket.chat/rest-typings@8.5.1

8.4.4

Engine versions

• Node: 22.22.2
• Deno: 2.3.1
• MongoDB: 8.0
• Apps-Engine: 1.62.0

Patch Changes

• Bump @rocket.chat/meteor version.

• Bump @rocket.chat/meteor version.

• (#40918 by @dionisio-bot) Escapes HTML tags in exported data

• (#40892 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#40905 by @dionisio-bot) Fixes missing permission check on the POST /api/v1/fingerprint endpoint

• (#40939 by @dionisio-bot) Fixes an issue where description was incorrectly being used as alternative text for image attachments

• Updated dependencies [4246165]:

  • @rocket.chat/federation-matrix@0.1.4
  • @rocket.chat/core-typings@8.4.4
  • @rocket.chat/rest-typings@8.4.4

8.3.6

Engine versions

• Node: 22.16.0
• Deno: 1.43.5
• MongoDB: 8.0
• Apps-Engine: 1.61.1

Patch Changes

• Bump @rocket.chat/meteor version.

• (#40919 by @dionisio-bot) Escapes HTML tags in exported data

• (#40894 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#40906 by @dionisio-bot) Fixes missing permission check on the POST /api/v1/fingerprint endpoint

• Updated dependencies []:

  • @rocket.chat/core-typings@8.3.6
  • @rocket.chat/rest-typings@8.3.6

8.2.6

Engine versions

• Node: 22.16.0
• Deno: 1.43.5
• MongoDB: 8.0
• Apps-Engine: 1.60.1

Patch Changes

• Bump @rocket.chat/meteor version.

• (#40920 by @dionisio-bot) Escapes HTML tags in exported data

• (#40895 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#40907 by @dionisio-bot) Fixes missing permission check on the POST /api/v1/fingerprint endpoint

• Updated dependencies []:

  • @rocket.chat/core-typings@8.2.6
  • @rocket.chat/rest-typings@8.2.6

8.1.6

Engine versions

• Node: 22.16.0
• Deno: 1.43.5
• MongoDB: 8.2
• Apps-Engine: 1.59.2

Patch Changes

• Bump @rocket.chat/meteor version.

• (#40921 by @dionisio-bot) Escapes HTML tags in exported data

• (#40896 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#40908 by @dionisio-bot) Fixes missing permission check on the POST /api/v1/fingerprint endpoint

• Updated dependencies []:

  • @rocket.chat/core-typings@8.1.6
  • @rocket.chat/rest-typings@8.1.6
  • @rocket.chat/abac@0.1.8
  • @rocket.chat/federation-matrix@0.0.17
  • @rocket.chat/license@1.1.15
  • @rocket.chat/media-calls@0.2.8
  • @rocket.chat/omnichannel-services@0.3.52
  • @rocket.chat/pdf-worker@0.3.34
  • @rocket.chat/presence@0.2.55
  • @rocket.chat/api-client@0.2.55
  • @rocket.chat/apps@0.6.8
  • @rocket.chat/core-services@0.12.8
  • @rocket.chat/cron@0.1.55
  • @rocket.chat/fuselage-ui-kit@27.0.6
  • @rocket.chat/gazzodown@27.0.6
  • @rocket.chat/http-router@7.9.22
  • @rocket.chat/message-types@0.1.0
  • @rocket.chat/model-typings@2.0.8
  • @rocket.chat/ui-avatar@23.0.6
  • @rocket.chat/ui-client@27.0.6
  • @rocket.chat/ui-contexts@27.0.6
  • @rocket.chat/ui-voip@17.0.6
  • @rocket.chat/web-ui-registration@27.0.6
  • @rocket.chat/models@2.0.8
  • @rocket.chat/server-cloud-communication@0.0.2
  • @rocket.chat/network-broker@0.2.34
  • @rocket.chat/omni-core-ee@0.0.20
  • @rocket.chat/ui-theming@0.4.4
  • @rocket.chat/ui-video-conf@27.0.6
  • @rocket.chat/instance-status@0.1.55
  • @rocket.chat/omni-core@0.0.20

8.0.7

Engine versions

• Node: 22.16.0
• Deno: 1.43.5
• MongoDB: 8.2
• Apps-Engine: 1.59.1

Patch Changes

• Bump @rocket.chat/meteor version.

• (#40922 by @dionisio-bot) Escapes HTML tags in exported data

• (#40897 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#40910 by @dionisio-bot) Fixes missing permission check on the POST /api/v1/fingerprint endpoint

• Updated dependencies []:

  • @rocket.chat/core-typings@8.0.7
  • @rocket.chat/rest-typings@8.0.7
  • @rocket.chat/abac@0.1.7
  • @rocket.chat/federation-matrix@0.0.16
  • @rocket.chat/license@1.1.14
  • @rocket.chat/media-calls@0.2.7
  • @rocket.chat/omnichannel-services@0.3.51
  • @rocket.chat/pdf-worker@0.3.33
  • @rocket.chat/presence@0.2.54
  • @rocket.chat/api-client@0.2.54
  • @rocket.chat/apps@0.6.7
  • @rocket.chat/core-services@0.12.7
  • @rocket.chat/cron@0.1.54
  • @rocket.chat/fuselage-ui-kit@26.0.7
  • @rocket.chat/gazzodown@26.0.7
  • @rocket.chat/http-router@7.9.21
  • @rocket.chat/message-types@0.1.0
  • @rocket.chat/model-typings@2.0.7
  • @rocket.chat/ui-avatar@22.0.7
  • @rocket.chat/ui-client@26.0.7
  • @rocket.chat/ui-contexts@26.0.7
  • @rocket.chat/ui-voip@16.0.7
  • @rocket.chat/web-ui-registration@26.0.7
  • @rocket.chat/models@2.0.7
  • @rocket.chat/server-cloud-communication@0.0.2
  • @rocket.chat/network-broker@0.2.33
  • @rocket.chat/omni-core-ee@0.0.19
  • @rocket.chat/ui-theming@0.4.4
  • @rocket.chat/ui-video-conf@26.0.7
  • @rocket.chat/instance-status@0.1.54
  • @rocket.chat/omni-core@0.0.19

7.13.9

Engine versions

• Node: 22.16.0
• Deno: 1.43.5
• MongoDB: 5, 6, 7, 8
• Apps-Engine: 1.58.1

Patch Changes

• Bump @rocket.chat/meteor version.

• (#40923 by @dionisio-bot) Escapes HTML tags in exported data

• (#40898 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#40911 by @dionisio-bot) Fixes missing permission check on the POST /api/v1/fingerprint endpoint

• Updated dependencies []:

  • @rocket.chat/core-typings@7.13.9
  • @rocket.chat/rest-typings@7.13.9
  • @rocket.chat/federation-matrix@0.0.15
  • @rocket.chat/license@1.1.13
  • @rocket.chat/media-calls@0.1.9
  • @rocket.chat/omnichannel-services@0.3.50
  • @rocket.chat/pdf-worker@0.3.32
  • @rocket.chat/presence@0.2.53
  • @rocket.chat/api-client@0.2.53
  • @rocket.chat/apps@0.5.32
  • @rocket.chat/core-services@0.11.9
  • @rocket.chat/cron@0.1.53
  • @rocket.chat/freeswitch@1.2.40
  • @rocket.chat/fuselage-ui-kit@25.0.9
  • @rocket.chat/gazzodown@25.0.9
  • @rocket.chat/http-router@7.9.20
  • @rocket.chat/message-types@0.0.1
  • @rocket.chat/model-typings@1.9.9
  • @rocket.chat/ui-avatar@21.0.9
  • @rocket.chat/ui-client@25.0.9
  • @rocket.chat/ui-contexts@25.0.9
  • @rocket.chat/web-ui-registration@25.0.9
  • @rocket.chat/models@1.8.9
  • @rocket.chat/server-cloud-communication@0.0.2
  • @rocket.chat/network-broker@0.2.32
  • @rocket.chat/omni-core-ee@0.0.18
  • @rocket.chat/ui-theming@0.4.4
  • @rocket.chat/ui-video-conf@25.0.9
  • @rocket.chat/ui-voip@15.0.9
  • @rocket.chat/instance-status@0.1.53
  • @rocket.chat/omni-core@0.0.18