Executive Summary

CVE-2026-29198 is a security vulnerability in Rocket.Chat versions prior to 8.3.0 and several earlier versions, related to the OAuth2 authentication mechanism. Specifically, it involves a NoSQL injection vulnerability that can lead to account takeover of the first user with a generated token when an OAuth app is configured.

The vulnerability arises from improper handling of OAuth2 access tokens passed via query parameters. The system did not properly sanitize or validate these tokens, allowing attackers to inject malformed or malicious tokens.

The fix involved refactoring the OAuth2 authentication middleware to extract and sanitize only the necessary authorization headers and access tokens, removing the access token from query parameters to prevent injection, and updating the authentication function to correctly parse and validate tokens.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to take over the account of the first user with a generated token in Rocket.Chat when an OAuth app is configured. This means unauthorized access to that user's account is possible.

Such an account takeover could lead to unauthorized access to sensitive communications, data leakage, and potential further exploitation within the Rocket.Chat environment.

Because the vulnerability involves token injection and improper validation, it undermines the security of the OAuth2 authentication process, potentially allowing attackers to bypass normal authentication controls.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper handling of OAuth2 access tokens passed via query parameters in Rocket.Chat versions prior to the fixed releases. Detection can focus on identifying requests that include access tokens in query parameters, which should not be accepted.

You can monitor your network or system logs for HTTP requests to Rocket.Chat endpoints that contain an access_token parameter in the URL query string.

• Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for URLs containing 'access_token='.
• Example tcpdump command to capture HTTP GET requests with access_token in query: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'access_token='
• Check Rocket.Chat server logs for authentication attempts that include query parameters with access tokens.
• If you have access to the Rocket.Chat server, review middleware or authentication logs for rejected or malformed OAuth2 token requests.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Rocket.Chat to a version that includes the security fix for CVE-2026-29198.

The fix involves sanitizing and properly validating OAuth2 access tokens passed via query parameters, preventing token injection and misuse.

• Upgrade Rocket.Chat to the latest version that includes the patch from Pull Request #39492 or later.
• If immediate upgrade is not possible, consider disabling OAuth apps or restricting OAuth2 authentication until the patch can be applied.
• Monitor and block HTTP requests that include access tokens in query parameters as a temporary protective measure.
• Review and tighten API authentication middleware configurations to reject malformed or suspicious tokens.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how CVE-2026-29198 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0