RocketChat · julio-rocketchat · Sep 19, 2025 · Sep 19, 2025
diff --git a/.changeset/grumpy-berries-arrive.md b/.changeset/grumpy-berries-arrive.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
diff --git a/apps/meteor/app/api/server/ApiClass.ts b/apps/meteor/app/api/server/ApiClass.ts
@@ -811,12 +811,15 @@ export class APIClass<
 						if (options.authRequired || options.authOrAnonRequired) {
 							const user = await api.authenticatedRoute.call(this, this.request);
 							this.user = user!;
-							this.userId = String(this.request.headers.get('x-user-id'));
+							this.userId = this.user?._id;
 							const authToken = this.request.headers.get('x-auth-token');
 							this.token = (authToken && Accounts._hashLoginToken(String(authToken)))!;
 						}
 
-						if (!this.user && options.authRequired && !options.authOrAnonRequired && !settings.get('Accounts_AllowAnonymousRead')) {
+						const shouldPreventAnonymousRead = !this.user && options.authOrAnonRequired && !settings.get('Accounts_AllowAnonymousRead');
+						const shouldPreventUserRead = !this.user && options.authRequired;
+
+						if (shouldPreventAnonymousRead || shouldPreventUserRead) {
 							const result = api.unauthorized('You must be logged in to do this.');
 							// compatibility with the old API
 							// TODO: MAJOR

diff --git a/apps/meteor/tests/end-to-end/api/channels.ts b/apps/meteor/tests/end-to-end/api/channels.ts
@@ -3503,10 +3503,10 @@ describe('[Channels]', () => {
 						roomId: testChannel._id,
 					})
 					.expect('Content-Type', 'application/json')
-					.expect(400)
+					.expect(401)
 					.expect((res) => {
 						expect(res.body).to.have.a.property('success', false);
-						expect(res.body).to.have.a.property('error', 'Enable "Allow Anonymous Read" [error-not-allowed]');
+						expect(res.body).to.have.a.property('error', 'You must be logged in to do this.');
 					})
 					.end(done);
 			});

diff --git a/apps/meteor/tests/end-to-end/api/users.ts b/apps/meteor/tests/end-to-end/api/users.ts
@@ -681,6 +681,53 @@ describe('[Users]', () => {
 			]),
 		);
 
+		it('should fail when request is without authentication credentials', async () => {
+			await request
+				.get(api('users.info'))
+				.query({
+					userId: targetUser._id,
+				})
+				.expect('Content-Type', 'application/json')
+				.expect(401)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error');
+				});
+		});
+
+		describe('authentication', () => {
+			before(() => updateSetting('Accounts_AllowAnonymousRead', true));
+			after(() => updateSetting('Accounts_AllowAnonymousRead', false));
+			it('should fail when request is without authentication credentials and Anonymous Read is enabled', async () => {
+				await request
+					.get(api('users.info'))
+					.query({
+						userId: targetUser._id,
+					})
+					.expect('Content-Type', 'application/json')
+					.expect(401)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('error');
+					});
+			});
+
+			it('should fail when request is without token and Anonymous Read is enabled', async () => {
+				await request
+					.get(api('users.info'))
+					.query({
+						userId: targetUser._id,
+					})
+					.set({ 'X-User-Id': credentials['X-User-Id'] })
+					.expect('Content-Type', 'application/json')
+					.expect(401)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('error');
+					});
+			});
+		});
+
 		it('should return an error when the user does not exist', (done) => {
 			void request
 				.get(api('users.info'))