An email address enumeration vulnerability exists in the password reset function of Rocket.Chat up to and including 3.9.1.
rocket.chat rocket.chat