VYPR
Critical severity9.8NVD Advisory· Published Apr 23, 2026· Updated May 13, 2026

CVE-2026-29198

CVE-2026-29198

Description

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

8
  • RocketChat/Rocket.chatreferences8 versions
    (expand)+ 7 more
    • (no CPE)
    • cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*range: <7.10.9
    • cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc0:*:*:*:*:*:*
    • cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rocket.chat:rocket.chat:8.3.0:rc4:*:*:*:*:*:*
    • (no CPE)range: <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, <7.10.9

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.