NoSQL Injection Vulnerability in Rocket.Chat by Rocket.Chat
CVE-2026-29198

Currently unrated

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 22 April 2026

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2026-29198?

Rocket.Chat versions prior to 8.3.0 exhibit a vulnerability that allows an attacker to perform NoSQL injection. This can lead to the unauthorized takeover of accounts, specifically targeting the initial user when an OAuth application is integrated. The flaw arises when user-generated tokens are processed without proper validation, potentially exposing sensitive data and user accounts. Organizations utilizing these versions should assess their security posture and apply appropriate patches to mitigate the risk.

Affected Version(s)

Rocket.Chat 8.3.0

Rocket.Chat 8.2.1

References

https://hackerone.com/reports/3564655

https://github.com/RocketChat/Rocket.Chat/pull/39492

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29198 Data

JSON