CVE-2026-29198 PUBLISHED

Assigner: hackerone
Reserved: 04.03.2026 Published: 22.04.2026 Updated: 22.04.2026

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

Product Status

Vendor	Rocket.Chat
Product	Rocket.Chat
Versions	Default: affected unaffected from 8.3.0 to 8.3.0 (excl.) unaffected from 8.2.1 to 8.2.1 (excl.) unaffected from 8.0.3 to 8.0.3 (excl.) unaffected from 7.13.5 to 7.13.5 (excl.) unaffected from 7.12.6 to 7.12.6 (excl.) unaffected from 7.11.6 to 7.11.6 (excl.) unaffected from 7.10.9 to 7.10.9 (excl.)

References

https://hackerone.com/reports/3564655
https://github.com/RocketChat/Rocket.Chat/pull/39492