Rocket.Chat
CVE-2026-30833
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
AnalysisAI
Unauthenticated NoSQL injection in Rocket.Chat's authentication service allows attackers to manipulate MongoDB queries by injecting operator expressions into username fields, potentially bypassing login controls and accessing unintended user accounts. The vulnerability affects versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, with no patch currently available for affected deployments.
Technical ContextAI
This vulnerability (CWE-943: Improper Neutralization of Special Elements in Data Query Logic) exists in the ddp-streamer micro component. Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector w
RemediationAI
Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation.
More in Rocket.Chat
View allRocket.Chat versions prior to 6.12.0 expose the OAuth applications API endpoint to any authenticated user, allowing disc
Auth bypass in Rocket.Chat before 7.8.6+. Multiple versions affected.
Auth bypass in Rocket.Chat before 7.10.8+. Second auth bypass CVE.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today