The Meteor method sendFileMessage accepts a file: Partial object from the client and passes it to parseFileIntoMessageAttachments.

Inside that function the server finalizes the upload:

await Uploads.updateFileComplete(file._id, user._id, omit(file, '_id'));

The upload _id is provided by the client, but the server does not verify that the upload belongs to the same user or the same room.

An authenticated user can supply another user’s upload _id, causing the server to mark that upload as completed and attach it to a room they can access.

Impact

Possible:

• attaching someone else’s file to a room
• incorrect file ownership
• privacy/audit inconsistencies

Proposed Fix

Verify upload ownership before updating:

const upload = await Uploads.findOneById(file._id, {
  projection: { _id: 1, userId: 1, rid: 1 },
});

if (!upload || upload.userId !== user._id || upload.rid !== roomId) {
  throw new Meteor.Error('error-invalid-file', 'Invalid upload ownership');
}

Then run:

await Uploads.updateFileComplete(file._id, user._id, omit(file, '_id'));