Critical severity9.8NVD Advisory· Published Apr 23, 2026· Updated May 13, 2026
CVE-2026-29198
CVE-2026-29198
Description
In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8(expand)+ 7 more
- (no CPE)
- cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*range: <7.10.9
- cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc4:*:*:*:*:*:*
- (no CPE)range: <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, <7.10.9
Patches
Vulnerability mechanics
References
2- github.com/RocketChat/Rocket.Chat/pull/39492nvdIssue TrackingPatch
- hackerone.com/reports/3564655nvdThird Party Advisory
News mentions
0No linked articles in our index yet.