Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Rocket.Chat: Unauthenticated attackers can access unauthorized user accounts
CVE-2026-30833
Summary
Before updating to Rocket.Chat versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, or 8.2.0, attackers without a login could potentially access accounts they shouldn't have access to. This is because user input isn't properly checked, allowing attackers to manipulate database queries. To fix this, update to the latest patched version of Rocket.Chat.
Original title
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists ...
Original description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
nvd CVSS4.0
6.9
Vulnerability type
CWE-943
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026