VYPR
Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026

Rocket.Chat: NoSQL injection in the EE ddp-streamer-service

CVE-2026-30833

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Affected products

2
  • RocketChat/Rocket.chatllm-fuzzy2 versions
    <7.10.8, >=7.10.0 <7.11.5, >=7.11.0 <7.12.5, >=7.12.0 <7.13.4, >=7.13.0 <8.0.2, >=8.0.0 <8.1.1, >=8.1.0 <8.2.0+ 1 more
    • (no CPE)range: <7.10.8, >=7.10.0 <7.11.5, >=7.11.0 <7.12.5, >=7.12.0 <7.13.4, >=7.13.0 <8.0.2, >=8.0.0 <8.1.1, >=8.1.0 <8.2.0
    • (no CPE)range: < 7.10.8

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.