CVE-2026-29198

216.73.216.233

· Published 23/04/2026 00:16 · Modified 24/04/2026 14:50

Labels: CVE-2026-29198 2026-04-23 CVE-2026-29198 CWE-89 [email protected]

Essential information

Published: 23/04/2026 00:16
Modified: 24/04/2026 14:50
Author: —
Creator: —
CVSS: 9.8 CRITICAL (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
rocket.chat / rocket.chat	`cpe:2.3:a:rocket.chat:rocket.chat:<8.3.0:::::::*`
rocket.chat / rocket.chat	`cpe:2.3:a:rocket.chat:rocket.chat:<8.2.1:::::::*`
rocket.chat / rocket.chat	`cpe:2.3:a:rocket.chat:rocket.chat:<8.1.2:::::::*`
rocket.chat / rocket.chat	`cpe:2.3:a:rocket.chat:rocket.chat:<8.0.3:::::::*`
rocket.chat / rocket.chat	`cpe:2.3:a:rocket.chat:rocket.chat:<7.13.5:::::::*`
rocket.chat / rocket.chat	`cpe:2.3:a:rocket.chat:rocket.chat:<7.12.6:::::::*`
rocket.chat / rocket.chat	`cpe:2.3:a:rocket.chat:rocket.chat:<7.11.6:::::::*`
rocket.chat / rocket.chat	`cpe:2.3:a:rocket.chat:rocket.chat:<7.10.9:::::::*`