CVE-2026-29198 Overview
A critical NoSQL injection vulnerability has been identified in Rocket.Chat that can lead to account takeover. The vulnerability exists in the OAuth authentication flow and affects multiple versions of the popular open-source team collaboration platform. When an OAuth app is configured, an attacker can exploit this injection flaw to compromise the first user account that has a generated token, potentially gaining full administrative access to the Rocket.Chat instance.
Critical Impact
This NoSQL injection vulnerability allows unauthenticated attackers to take over user accounts through the OAuth authentication mechanism, potentially compromising the entire Rocket.Chat deployment including administrative accounts.
Affected Products
- Rocket.Chat versions prior to 8.3.0
- Rocket.Chat versions prior to 8.2.1
- Rocket.Chat versions prior to 8.1.2
- Rocket.Chat versions prior to 8.0.3
- Rocket.Chat versions 7.x prior to 7.13.5, 7.12.6, 7.11.6, and 7.10.9
Discovery Timeline
- 2026-04-23 - CVE-2026-29198 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-29198
Vulnerability Analysis
This vulnerability is classified as a NoSQL injection (CWE-89) affecting Rocket.Chat's OAuth authentication implementation. The flaw allows attackers to manipulate database queries through crafted input when an OAuth application is configured on the Rocket.Chat server. The injection point specifically targets the token lookup mechanism used during the OAuth authentication flow.
NoSQL databases like MongoDB, which Rocket.Chat uses as its backend, are susceptible to injection attacks when user-supplied input is not properly sanitized before being used in database queries. In this case, an attacker can craft malicious payloads that alter the intended query logic, allowing them to retrieve or manipulate authentication tokens belonging to other users.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and sanitization in the OAuth token handling code. When processing OAuth authentication requests, the application fails to properly sanitize user-controlled input before incorporating it into MongoDB queries. This allows attackers to inject NoSQL operators such as $ne, $gt, $regex, or other MongoDB query operators to bypass authentication checks or extract sensitive token data.
The vulnerability specifically affects scenarios where OAuth applications are configured, as the injection occurs within the OAuth token generation and validation workflow. The first user with a generated token becomes the target because the injection allows attackers to match against existing tokens in the database.
Attack Vector
The attack vector is network-based and requires no prior authentication or user interaction. An attacker targeting a vulnerable Rocket.Chat instance can:
- Identify a Rocket.Chat deployment with OAuth authentication configured
- Craft malicious requests containing NoSQL injection payloads targeting the OAuth token endpoints
- Manipulate the database query to return the first matching user token
- Use the obtained token to authenticate as the target user, achieving account takeover
The attack is particularly dangerous because it can target administrative accounts or the first registered users who often have elevated privileges. The vulnerability details and fix can be found in the GitHub Pull Request 39492. Additional technical information is available in the HackerOne Report #3564655.
Detection Methods for CVE-2026-29198
Indicators of Compromise
- Unusual OAuth authentication requests containing special characters or MongoDB operators ($ne, $gt, $regex, $where)
- Unexpected successful OAuth logins from unfamiliar IP addresses or geolocations
- Authentication logs showing access to user accounts without corresponding legitimate login activity
- Anomalous database query patterns in MongoDB logs, particularly around the OAuth token collections
Detection Strategies
- Monitor OAuth authentication endpoints for requests containing JSON objects or MongoDB query operators in token parameters
- Implement Web Application Firewall (WAF) rules to detect and block NoSQL injection patterns in HTTP requests
- Enable verbose logging on Rocket.Chat OAuth endpoints and analyze for injection attempts
- Deploy SentinelOne Singularity Platform for real-time behavioral analysis and threat detection on servers hosting Rocket.Chat
Monitoring Recommendations
- Configure alerting for failed and anomalous OAuth authentication attempts
- Monitor MongoDB slow query logs for unusual query patterns that may indicate injection attacks
- Implement session monitoring to detect account access from multiple disparate locations
- Review audit logs regularly for signs of unauthorized account access or privilege escalation
How to Mitigate CVE-2026-29198
Immediate Actions Required
- Upgrade Rocket.Chat immediately to a patched version: 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, or 7.10.9 depending on your version branch
- Review OAuth application configurations and disable any unnecessary OAuth integrations
- Audit user accounts for signs of compromise, particularly administrative and early-registered accounts
- Reset authentication tokens for all users if compromise is suspected
- Enable multi-factor authentication (MFA) for all user accounts as an additional security layer
Patch Information
Rocket.Chat has released security patches addressing this NoSQL injection vulnerability across multiple supported version branches. The fix is documented in GitHub Pull Request 39492. Organizations should upgrade to the following minimum versions:
- Version 8.x: Upgrade to 8.3.0, 8.2.1, 8.1.2, or 8.0.3
- Version 7.13.x: Upgrade to 7.13.5
- Version 7.12.x: Upgrade to 7.12.6
- Version 7.11.x: Upgrade to 7.11.6
- Version 7.10.x: Upgrade to 7.10.9
Workarounds
- Temporarily disable OAuth authentication if not immediately required for business operations
- Place Rocket.Chat behind a Web Application Firewall (WAF) configured to block NoSQL injection patterns
- Implement network-level access controls to restrict OAuth endpoint access to trusted IP ranges
- Consider temporarily disabling all OAuth applications until patches can be applied
# Review and disable OAuth apps via Rocket.Chat Admin CLI
# List configured OAuth applications
rocketchatctl oauth-apps list
# Disable specific OAuth app (replace APP_ID with actual ID)
rocketchatctl oauth-apps disable --id APP_ID
# Verify Rocket.Chat version after upgrade
rocketchatctl status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
