{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29198", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-03-04T15:00:09.266Z", "datePublished": "2026-04-22T23:30:15.355Z", "dateUpdated": "2026-04-23T17:41:50.981Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured."}], "affected": [{"defaultStatus": "affected", "vendor": "Rocket.Chat", "product": "Rocket.Chat", "versions": [{"version": "8.3.0", "status": "unaffected", "lessThan": "8.3.0", "versionType": "semver"}, {"version": "8.2.1", "status": "unaffected", "lessThan": "8.2.1", "versionType": "semver"}, {"version": "8.0.3", "status": "unaffected", "lessThan": "8.0.3", "versionType": "semver"}, {"version": "7.13.5", "status": "unaffected", "lessThan": "7.13.5", "versionType": "semver"}, {"version": "7.12.6", "status": "unaffected", "lessThan": "7.12.6", "versionType": "semver"}, {"version": "7.11.6", "status": "unaffected", "lessThan": "7.11.6", "versionType": "semver"}, {"version": "7.10.9", "status": "unaffected", "lessThan": "7.10.9", "versionType": "semver"}]}], "references": [{"url": "https://hackerone.com/reports/3564655"}, {"url": "https://github.com/RocketChat/Rocket.Chat/pull/39492"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-22T23:30:15.355Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T17:41:26.415612Z", "id": "CVE-2026-29198", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T17:41:50.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"affected": [{"vendor": "Rocket.Chat", "product": "Rocket.Chat", "versions": [{"status": "unaffected", "version": "8.3.0", "lessThan": "8.3.0", "versionType": "semver"}, {"status": "unaffected", "version": "8.2.1", "lessThan": "8.2.1", "versionType": "semver"}, {"status": "unaffected", "version": "8.0.3", "lessThan": "8.0.3", "versionType": "semver"}, {"status": "unaffected", "version": "7.13.5", "lessThan": "7.13.5", "versionType": "semver"}, {"status": "unaffected", "version": "7.12.6", "lessThan": "7.12.6", "versionType": "semver"}, {"status": "unaffected", "version": "7.11.6", "lessThan": "7.11.6", "versionType": "semver"}, {"status": "unaffected", "version": "7.10.9", "lessThan": "7.10.9", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://hackerone.com/reports/3564655"}, {"url": "https://github.com/RocketChat/Rocket.Chat/pull/39492"}], "descriptions": [{"lang": "en", "value": "In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-22T23:30:15.355Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29198", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T17:41:26.415612Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-23T17:41:45.450Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-29198", "state": "PUBLISHED", "dateUpdated": "2026-04-22T23:30:15.355Z", "dateReserved": "2026-03-04T15:00:09.266Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-04-22T23:30:15.355Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A86BCA2-5A24-4B8A-82D8-081A5176C761", "versionEndExcluding": "7.10.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "99AFFE2A-1F97-437F-988C-0F4422846406", "versionEndExcluding": "7.11.6", "versionStartIncluding": "7.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "526F29DC-2935-47A8-9AB0-87A59566224C", "versionEndExcluding": "7.12.6", "versionStartIncluding": "7.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4E95AE6-A8D2-4372-8FF6-10C0854D8970", "versionEndExcluding": "7.13.5", "versionStartIncluding": "7.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F9EF75A-7697-4B25-B15F-ECA61409E0EA", "versionEndExcluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F32DB15-3E9D-4572-BF9A-4E657EC060F1", "versionEndExcluding": "8.1.2", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "940DA170-88EF-44BD-848C-D2DE08A679D9", "versionEndExcluding": "8.2.1", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "8974643D-1E5C-4853-80A8-FA441D50C045", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D7552BC2-4389-4E16-8DE6-916B179B9A2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "8AD12B11-91D5-4E5D-8718-58B7C14B85C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "AFB9F6CC-A3C3-4098-B8F7-F259DDFC9F77", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "DF5447A1-6E23-42F3-B337-FBE82E89B5D1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured."}], "id": "CVE-2026-29198", "lastModified": "2026-05-13T20:39:44.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-23T00:16:45.060", "references": [{"source": "support@hackerone.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/RocketChat/Rocket.Chat/pull/39492"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/3564655"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[8.3.0,8.3.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[8.2.1,8.2.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[8.0.3,8.0.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.13.5,7.13.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.12.6,7.12.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.11.6,7.11.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.10.9,7.10.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Rocket.Chat", "source": "cna", "vendor": "Rocket.Chat"}, "product": "rocket.chat", "vendor": "rocket.chat"}], "analysis": {"en": {"generated_at": "2026-04-28T15:13:13.742815+00:00", "value": {"mitigation_remediation": ["Deploy the latest Rocket.Chat release (8.3.0 or later) which contains the NoSQL injection fix for OAuth configuration.", "If an immediate upgrade is not possible, remove any custom OAuth applications that have been created and recreate them with validated input, ensuring that all string fields are properly sanitized.", "Apply any available interim security patches or advisory releases from Rocket.Chat that address input validation in the OAuth module, and restrict access to the OAuth application creation API to trusted administrators.", "Monitor the OAuth application registry for suspicious or newly created apps, and enforce least privilege for configuration management.", "Review application logs for failed authentication attempts and any anomalies in token issuance patterns."], "summary": {"action": "Immediate Patch", "impact": "Account takeover via NoSQL injection in OAuth app configuration"}, "threat_synthesis": {"affected_systems": "All installations of Rocket.Chat running any of the affected versions listed above. The flaw is unrelated to specific deployment environments; it exists in the core code that handles OAuth application configuration. Administrators whose servers are publicly reachable and that allow OAuth application creation are particularly at risk.", "description_and_impact": "Rocket.Chat versions prior to 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, and 7.10.9 contain a NoSQL injection flaw that can be triggered when an OAuth application is set up. By injecting malicious payloads into the OAuth configuration, an attacker can cause the system to generate an authentication token that grants control over the first user account, effectively allowing account takeover. This vulnerability directly compromises account integrity and confidentiality.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical level of severity, while the EPSS score of less than 1% suggests that exploitation is currently rare but not impossible. The vulnerability is not yet listed in CISA\u2019s KEV catalog, but its high score and the straightforward nature of the payload imply that an attacker who can create an OAuth app might exploit it without sophisticated tooling. The attack likely requires administrative access to the Rocket.Chat instance to add or modify OAuth applications, after which the injection can be triggered. Once the malicious token is issued, the attacker can impersonate the first user and gain full control of the system."}}}}, "created": "2026-04-27T22:45:15.245267+00:00", "title": "NoSQL Injection via OAuth App Enables Account Takeover in Rocket.Chat", "updated": "2026-04-28T15:15:34.210391+00:00", "vendors": ["rocket.chat", "rocket.chat$PRODUCT$rocket.chat"]}