CVE-2026-30833
Received Received - Intake
NoSQL Injection in Rocket.Chat Account Service Enables Authentication Bypass

Publication date: 2026-03-06

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-30833
EUVD
EUVD-2026-10055
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
rocket.chat rocket.chat to 7.10.8 (exc)
rocket.chat rocket.chat From 7.11.0 (inc) to 7.11.5 (exc)
rocket.chat rocket.chat From 7.12.0 (inc) to 7.12.5 (exc)
rocket.chat rocket.chat From 7.13.0 (inc) to 7.13.4 (exc)
rocket.chat rocket.chat From 8.0.0 (inc) to 8.0.2 (exc)
rocket.chat rocket.chat From 8.1.0 (inc) to 8.1.1 (exc)
rocket.chat rocket.chat 8.2.0
rocket.chat rocket.chat 8.2.0
rocket.chat rocket.chat 8.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30833 is a high-severity NoSQL injection vulnerability in Rocket.Chat's account service used by the ddp-streamer microservice. It occurs in the username-based login flow where user input is directly embedded into a MongoDB query without proper validation."}, {'type': 'paragraph', 'content': "An attacker can inject MongoDB operator expressions, such as { $regex: '.*' }, instead of a normal username string. This causes the database query to match unintended user records, potentially allowing unauthorized access."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the username parameter is not sanitized before being used in the query, violating proper neutralization of special elements in data query logic (CWE-943).'}] [1]

Impact Analysis

This vulnerability allows unauthenticated attackers to manipulate login queries and potentially bypass normal username checks.

Attackers could log in without knowing valid usernames by injecting special MongoDB operators, which may lead to unauthorized access to user accounts.

If combined with related vulnerabilities, the impact could be more severe, increasing the risk of account compromise and unauthorized data access.

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unusual or malformed login attempts to the Rocket.Chat websocket endpoint, specifically targeting the ddp-streamer microservice's login method."}, {'type': 'paragraph', 'content': "Since the injection occurs via the username parameter in MongoDB queries, detection involves looking for login requests where the username field contains MongoDB operator expressions such as {$regex: '.*'} instead of simple strings."}, {'type': 'paragraph', 'content': "You can inspect network traffic or logs for websocket messages sent to the <rocketchat-host>/websocket endpoint that invoke the 'login' server method with suspicious username payloads."}, {'type': 'list_item', 'content': 'Use network packet capture tools (e.g., tcpdump, Wireshark) to filter websocket traffic to the Rocket.Chat server and analyze login requests.'}, {'type': 'list_item', 'content': 'Search Rocket.Chat server logs for login attempts containing MongoDB operators in the username field.'}, {'type': 'list_item', 'content': 'Example command to check logs for suspicious usernames (assuming logs are in JSON format): grep -E \'\\{"username":\\{\\$regex\' /path/to/rocketchat/logs/*'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Rocket.Chat to one of the patched versions: 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, or 8.2.0.

If upgrading immediately is not possible, consider implementing input validation or filtering on the username parameter to ensure it is a primitive string and does not contain MongoDB operator expressions.

Additionally, monitor and restrict access to the Rocket.Chat websocket endpoint to trusted networks or authenticated users where feasible.

Review and apply any available patches or configuration changes recommended by Rocket.Chat security advisories.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30833. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart