CVE-2026-30833 in Rocket.Chat
Summary
by MITRE • 03/06/2026
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability identified as CVE-2026-30833 represents a critical NoSQL injection flaw within Rocket.Chat's authentication system that affects multiple version branches including 7.10.x, 7.11.x, 7.12.x, 7.13.x, 8.0.x, 8.1.x, and 8.2.x. This security weakness resides in the ddp-streamer microservice component of the platform's account service, specifically during the username-based login process where user input directly influences MongoDB query construction. The flaw stems from inadequate input validation mechanisms that fail to sanitize or escape user-supplied credentials before incorporating them into database queries, creating an avenue for malicious exploitation.
The technical implementation of this vulnerability allows unauthenticated attackers to manipulate MongoDB query selectors through crafted username inputs containing NoSQL injection payloads. When an attacker supplies a specially crafted username string containing MongoDB operator expressions such as { $regex: '.*' }, the authentication system processes this input directly within the database query without proper sanitization. This injection technique enables attackers to bypass normal authentication mechanisms and potentially access unauthorized user accounts, as the modified query selector can match multiple user records or bypass authentication entirely. The vulnerability specifically targets the username-based authentication flow, making it particularly dangerous since it affects the core login functionality of the platform.
From an operational perspective, this vulnerability presents significant risk to Rocket.Chat deployments as it allows attackers to perform unauthorized account access without requiring valid credentials. The impact extends beyond simple credential theft, as successful exploitation could enable attackers to access sensitive user data, modify account permissions, or potentially escalate privileges within the system. The NoSQL injection vulnerability affects the authentication service's ability to properly validate user credentials, creating a persistent threat vector that remains active until the affected versions are patched. Organizations running vulnerable Rocket.Chat instances face potential data breaches, unauthorized access to communication channels, and compromise of user privacy and system integrity.
The mitigation strategy for CVE-2026-30833 requires immediate deployment of patched versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0 across all affected deployments. Additionally, organizations should implement proper input validation and sanitization measures within their authentication services to prevent similar vulnerabilities in the future. This includes implementing parameterized queries or prepared statements for database interactions, as well as comprehensive input filtering that rejects or escapes potentially malicious characters and operator expressions. The vulnerability aligns with CWE-94, which describes the injection of code or commands into a target system, and represents a specific instance of NoSQL injection that falls under the ATT&CK technique T1190 for exploitation of vulnerabilities in authentication systems. Organizations should also conduct thorough security assessments of their authentication flows and implement monitoring to detect potential exploitation attempts against their Rocket.Chat deployments.