Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture.

During my personal revision of the E2E encryption feature enable by default at open.rocket.chat server, that allow users to encrypt messages under application layer inside on a specific secure chat room, I found the following vulnerability: It's possible to break the E2E encryption of a secure chat room. The root cause of the vulnerability is the server side API operation e2e.updateGroupKey. This operation as you should know is in charged to insert or update the E2EKey on the rocketchat_subscription table on the server Database non-relational (MongoDB). The rocketchat_subscription collection, contains for each user that belong to an existing encrypted chat room, an entry with the E2EKey. This E2EKey is an Asymmetric encrypted base64 data with RSA that use the public_key value stored on the user collection for an specific user, for encrypting the room-key. This room-key is used to encrypt and decrypt with symmetric AES algorithm the messages stored for the in the server database, for the specific secure chat.