๐Ÿ” CVE Alert

CVE-2026-29198

CRITICAL 9.8
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
3th

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.

Vendor rocket.chat
Product rocket.chat
Published Apr 22, 2026
Last Updated Apr 23, 2026
Stay Ahead of the Next One

Get instant alerts for rocket.chat rocket.chat

Be the first to know when new critical vulnerabilities affecting rocket.chat rocket.chat are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Rocket.Chat / Rocket.Chat
All versions affected

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
hackerone.com: https://hackerone.com/reports/3564655 github.com: https://github.com/RocketChat/Rocket.Chat/pull/39492