CVE-2026-30833 in Rocket.Chatinfo

Zusammenfassung

von MITRE • 06.03.2026

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

05.03.2026

Veröffentlichung

06.03.2026

Moderieren

akzeptiert

Eintrag

VDB-349519

CPE

bereit

CWE

CWE-943 (bestätigt)

CVSS

5.3 (NVD)

EPSS

0.00055

KEV

nein

Aktivitäten

very low

Sektor

Education, Chemical, ...

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-30833
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-30833
CVE Details	https://www.cvedetails.com/cve/CVE-2026-30833/

◂ Zurück Übersicht Weiter ▸

Do you know our Splunk app?

Download it now for free!