In the settings of a Mozilla Hub, an admin user can disable the creation an object or move deny to move any object. This is bypassable with the usage of certain /<commands> inside the chat feature. An attacker does not to be authenticated nor have joined the room to perform this attack. With some JavaScript magic, they can trick the browser thinking we are in the room, which we are not. An attacker is able to place different kinds of objects while the admin user specifically disables the creation of objects inside the room. The server does not validate the access control rules of the room when calling the websockets requests to create an object.