CRITICAL🇵🇱 Wersja polska

CVE-2026-29198

CVSS 9.8v3.1pub. 2026-04-23upd. 2026-05-13

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

🤖 AI Analysis
How it works

The vulnerability results from improper input validation in the context of NoSQL database queries. When an OAuth application is configured in the Rocket.Chat instance, an attacker can craft a malicious query containing NoSQL operators, thereby bypassing authentication mechanisms. As a result, it is possible to locate and take over the account of the first user for whom an access token was generated.

Impact

An unauthenticated attacker can completely take over a user account (account takeover), gaining full access to their data, messages, and permissions within the Rocket.Chat instance.

Mitigation & patch

Rocket.Chat must be immediately updated to version 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, or 7.10.9 (depending on the branch in use). As a temporary measure, consider disabling configured OAuth applications until the patch is deployed. Details available in the vendor's pull request: https://github.com/RocketChat/Rocket.Chat/pull/39492.

Who is affected

Rocket.Chat in versions: below 8.3.0, below 8.2.1, below 8.1.2, below 8.0.3, below 7.13.5, below 7.12.6, below 7.11.6, and below 7.10.9 — only when an OAuth application is configured.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Rocket.chat

    APP
    Rocket.Chat
    8.3.07.11.0 – 7.11.6 (bez)7.12.0 – 7.12.6 (bez)7.13.0 – 7.13.5 (bez)< 7.10.98.1.0 – 8.1.2 (bez)8.2.0 – 8.2.1 (bez)8.0.0 – 8.0.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-48616CRITICAL9.3ten sam produkt

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerab...

CVE-2026-28514CRITICAL9.3PL ✓ten sam produkt

Rocket.Chat — pominięcie await powoduje auth bypass w ddp-streamer

CVE-2023-28316CRITICAL9.8ten sam produkt

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where o...

CVE-2022-44567CRITICAL9.8ten sam produkt

A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a...

CVE-2021-22910CRITICAL9.8ten sam produkt

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed quer...