CVE-2026-29198
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Rocket.Chat | Rocket.Chat | 8.3.0 < 8.3.0 | unaffected |
| Rocket.Chat | Rocket.Chat | 8.2.1 < 8.2.1 | unaffected |
| Rocket.Chat | Rocket.Chat | 8.0.3 < 8.0.3 | unaffected |
| Rocket.Chat | Rocket.Chat | 7.13.5 < 7.13.5 | unaffected |
| Rocket.Chat | Rocket.Chat | 7.12.6 < 7.12.6 | unaffected |
| Rocket.Chat | Rocket.Chat | 7.11.6 < 7.11.6 | unaffected |
| Rocket.Chat | Rocket.Chat | 7.10.9 < 7.10.9 | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.