CVE-2026-30833

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 7.10.8 Rocket.Chat versions prior to 7.11.5 Rocket.Chat versions prior to 7.12.5 Rocket.Chat versions prior to 7.13.4 Rocket.Chat versions prior to 8.0.2 Rocket.Chat versions prior to 8.1.1 Rocket.Chat versions prior to 8.2.0

Description Rocket.Chat is a communications platform. A NoSQL injection issue exists in the account service within the ddp-streamer micro service. This allows unauthenticated attackers to manipulate MongoDB queries during authentication. The issue is present in the username-based login flow where user-provided input is directly incorporated into a MongoDB query selector without proper validation. An attacker can inject MongoDB operator expressions, such as { $regex: '.*' }, in place of a username, causing the database query to match unintended user records. The vulnerability affects the ddp-streamer service.

Recommendations Update Rocket.Chat to version 7.10.8 or later. Update Rocket.Chat to version 7.11.5 or later. Update Rocket.Chat to version 7.12.5 or later. Update Rocket.Chat to version 7.13.4 or later. Update Rocket.Chat to version 8.0.2 or later. Update Rocket.Chat to version 8.1.1 or later. Update Rocket.Chat to version 8.2.0 or later.