CVE-2026-29198 Overview
CVE-2026-29198 is a NoSQL injection vulnerability in Rocket.Chat that can lead to account takeover. The flaw affects the OAuth token handling logic and allows unauthenticated network attackers to compromise the first user with a generated token when an OAuth app is configured. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and impacts confidentiality, integrity, and availability of the affected instance.
Critical Impact
Unauthenticated attackers can take over the first user account holding a generated OAuth token, gaining full access to that user's data and privileges within the Rocket.Chat workspace.
Affected Products
- Rocket.Chat versions before 8.3.0
- Rocket.Chat versions before 8.2.1, 8.1.2, and 8.0.3
- Rocket.Chat versions before 7.13.5, 7.12.6, 7.11.6, and 7.10.9
Discovery Timeline
- 2026-04-23 - CVE-2026-29198 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-29198
Vulnerability Analysis
The vulnerability resides in Rocket.Chat's OAuth integration path, where user-controlled input is passed into a MongoDB query without proper type validation or sanitization. Because MongoDB query operators accept structured objects, an attacker can submit a crafted payload that turns an equality check into an operator-based query. This converts an authentication lookup into a logic bypass that matches the first record holding a generated OAuth token.
The attack does not require authentication, user interaction, or elevated privileges. A successful request returns or accepts a token tied to another user's account, granting the attacker session-equivalent access. From that point the attacker can read private channels, send messages, modify integrations, and pivot into connected systems through OAuth scopes.
Root Cause
The root cause is improper neutralization of user-supplied input inside a NoSQL query, tracked under CWE-89. Rocket.Chat's OAuth flow accepted parameters that were not coerced to a string before being included in the MongoDB filter. When the parameter was instead supplied as a query operator such as $ne or $regex, the database returned the first matching token-bearing user. The vendor remediation, tracked in Rocket.Chat Pull Request #39492, enforces strict input typing on the affected query parameters.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request to the OAuth-related endpoint of a Rocket.Chat server that has at least one OAuth app configured. The payload replaces a scalar value with a NoSQL operator object. The backend evaluates the operator against the user collection and returns the first user with a generated token. The attacker then uses the returned token to impersonate that user. Refer to the HackerOne Security Report #3564655 for additional technical context.
Detection Methods for CVE-2026-29198
Indicators of Compromise
- HTTP requests to OAuth-related Rocket.Chat endpoints containing JSON payloads with MongoDB operators such as $ne, $gt, $regex, or $exists in fields that should accept only strings.
- Authentication or session events showing an OAuth token issued or reused for a user without a corresponding interactive login.
- Unusual API activity from a session immediately after an anomalous OAuth callback, particularly bulk channel reads or integration changes.
Detection Strategies
- Inspect web server and reverse proxy logs for request bodies and query parameters that contain MongoDB operator syntax against /api/v1/ OAuth endpoints.
- Correlate token issuance events with source IP reputation and prior session history to identify tokens used from unexpected geolocations or user agents.
- Alert on administrative or integration changes performed by accounts that had no recent interactive authentication.
Monitoring Recommendations
- Forward Rocket.Chat application logs and proxy access logs to a centralized analytics platform with retention sufficient for retroactive hunting.
- Build detection rules targeting the literal strings "$ne", "$regex", and "$gt" inside HTTP request bodies destined for Rocket.Chat.
- Monitor MongoDB query patterns for unexpected operator usage from the Rocket.Chat application user.
How to Mitigate CVE-2026-29198
Immediate Actions Required
- Upgrade Rocket.Chat to a fixed release: 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, or 7.10.9, matching the branch in use.
- Rotate all OAuth client secrets and invalidate existing user tokens after patching to revoke any tokens an attacker may have captured.
- Audit administrator and integration-owner accounts for unauthorized changes since OAuth apps were first configured.
Patch Information
Rocket.Chat addressed the issue in the pull request published at Rocket.Chat Pull Request #39492. The fix enforces type validation on the OAuth query parameters so that MongoDB operator objects can no longer be injected into the user lookup. Apply the corresponding patch release for your branch as listed in the affected products section.
Workarounds
- If patching cannot occur immediately, disable all configured OAuth apps until the upgrade is applied.
- Place a web application firewall in front of Rocket.Chat with rules that reject request bodies containing MongoDB operator keys such as $ne, $gt, or $regex on OAuth endpoints.
- Restrict network access to the Rocket.Chat instance so that only trusted networks can reach the OAuth callback and authentication routes.
# Example WAF rule fragment (ModSecurity) blocking NoSQL operators on Rocket.Chat OAuth paths
SecRule REQUEST_URI "@beginsWith /api/v1/" \
"chain,deny,status:400,id:1029198,msg:'Block NoSQL operator in Rocket.Chat OAuth request'"
SecRule REQUEST_BODY "@rx \"\\$(ne|gt|lt|regex|exists|in|nin)\"" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
