cbcvebase.
CVE-2026-30833
published 2026-03-06

CVE-2026-30833: Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a…

PriorityP336medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.27%
18.4th percentile
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Affected

14 ranges
VendorProductVersion rangeFixed in
rocket.chatrocket.chat< 7.10.87.10.8
rocket.chatrocket.chat
rocket.chatrocket.chat>= 7.11.0 < 7.11.57.11.5
rocket.chatrocket.chat>= 7.12.0 < 7.12.57.12.5
rocket.chatrocket.chat>= 7.13.0 < 7.13.47.13.4
rocket.chatrocket.chat>= 8.0.0 < 8.0.28.0.2
rocket.chatrocket.chat>= 8.1.0 < 8.1.18.1.1
rocketchatrocket.chat< 7.10.87.10.8
rocketchatrocket.chat< 7.11.57.11.5
rocketchatrocket.chat< 7.12.57.12.5
rocketchatrocket.chat< 7.13.47.13.4
rocketchatrocket.chat< 8.0.28.0.2
rocketchatrocket.chat< 8.1.18.1.1
rocketchatrocket.chat< 8.2.08.2.0

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.