External risk intelligence

Rocket.Chat account takeover possible via configuration flaw

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-29198

Rocket.Chat versions before 8.3.0 have a critical flaw allowing account takeover through OAuth configuration. This impacts internet-facing systems and needs immediate attention to protect your communication platform.

4Halo Surface Signal

SQL Injection

Rocket Chat

before 7.10.97.11.0 to before 7.11.67.12.0 to before 7.12.67.13.0 to before 7.13.58.0.0 to before 8.0.38.1.0 to before 8.1.28.2.0 to before 8.2.18.3.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-29198

Rocket.Chat is a web-based collaboration platform commonly deployed as an internet-facing application to facilitate communication. The vulnerability involves OAuth configuration, which often requires interaction with external services, further increasing the likelihood of public network reachability in typical deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Rocket.Chat could allow unauthorized takeover of user accounts when an OAuth app is configured. This issue warrants attention because it could lead to the compromise of sensitive information and unauthorized actions within your communication platform.

  • Account takeover for first user.
  • Publicly accessible applications are at risk.
  • Requires an OAuth app to be configured.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by configuring a malicious OAuth app on a vulnerable Rocket.Chat instance. This allows them to inject NoSQL queries that can lead to account takeover for the initial user, granting them administrative access.

  • No authentication required.
  • Malicious OAuth app configuration.
  • Target: Rocket.Chat instances before version 8.3.0.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability attractive due to its direct path to account takeover without requiring initial user interaction or authentication. This NoSQL injection flaw in Rocket.Chat, particularly when an OAuth app is configured, could allow unauthorized access to the first user's account, presenting a significant risk to data and system integrity. While concrete exploitation in the wild has not been widely observed, the potential impact is severe.

  • NoSQL injection for account takeover.
  • Exploitation requires OAuth app configuration.
  • No public exploit code currently available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Rocket.Chat instances immediately due to a critical NoSQL injection vulnerability that can lead to account takeover via OAuth. If patching is not feasible, isolate affected services from the public network and review OAuth configurations for any suspicious activity or newly created accounts.

  • Update Rocket.Chat to version 8.3.0 or later.
  • Isolate services from external access.
  • Monitor for unauthorized account creation.

Frequently asked questions

What is the nature of the vulnerability in Rocket.Chat?

A NoSQL injection vulnerability exists in Rocket.Chat versions prior to 8.3.0, including several specific sub-versions like 8.2.1, 8.1.2, 8.0.3, and various 7.x releases. This flaw can lead to the account takeover of the first user if an OAuth app is configured.

How does the NoSQL injection vulnerability in Rocket.Chat work?

The vulnerability, classified as CWE-89 (SQL injection), allows an attacker to inject NoSQL queries. This occurs when an OAuth app is configured, potentially enabling the attacker to gain control of the first user's account by exploiting the injection flaw.

What is the attack path and scope of the Rocket.Chat vulnerability?

An unauthenticated attacker can exploit this by configuring a malicious OAuth app on a vulnerable Rocket.Chat instance. This allows for the injection of NoSQL queries. The scope is user account takeover, specifically affecting the first user created on the instance.

What is the significance of CVE-2026-29198, and how is it relevant?

CVE-2026-29198 in Rocket.Chat is a critical vulnerability allowing account takeover via NoSQL injection when OAuth is configured. Its network attack vector and external exposure classify it as a significant risk, particularly for internet-facing collaboration platforms. The Halo Surface Signal scores it a 'Likely' risk due to its web-based nature and OAuth interaction.

What steps should be taken to address the Rocket.Chat vulnerability?

The primary recommendation is to update Rocket.Chat to version 8.3.0 or a later release. If immediate patching is not possible, isolating affected services from the public network and closely monitoring OAuth configurations for any unusual activity or new accounts are crucial mitigation steps.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified