CVE-2026-30833 is a NoSQL injection vulnerability identified in Rocket.Chat, an open-source communication platform widely used for secure messaging. The vulnerability exists in the account service component, specifically within the ddp-streamer microservice's username-based login flow. In affected versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, user-supplied input for the username is directly embedded into MongoDB query selectors without proper sanitization or validation. This improper neutralization of special elements in data query logic (CWE-943) allows an attacker to inject MongoDB operator expressions such as {$regex: '.*'}, which can manipulate the query to match unintended user records. Because the vulnerability is exploitable without authentication or user interaction, an attacker can potentially bypass authentication controls or retrieve unauthorized user information. The flaw impacts the confidentiality and integrity of user data by enabling unauthorized access or impersonation. The vulnerability has been assigned a CVSS 4.0 base score of 6.9, reflecting medium severity due to network attack vector, no privileges or user interaction required, and partial impact on confidentiality and integrity. No known exploits have been reported in the wild to date. The issue has been addressed in multiple patched versions of Rocket.Chat, and users are strongly advised to upgrade to these versions to mitigate the risk. This vulnerability underscores the importance of secure coding practices when constructing NoSQL queries, particularly ensuring that user input is properly validated and sanitized to prevent injection attacks.

The primary impact of CVE-2026-30833 is unauthorized access to user accounts or data within Rocket.Chat deployments. By exploiting the NoSQL injection flaw, attackers can manipulate authentication queries to bypass login controls or retrieve sensitive user information, compromising confidentiality and integrity. This can lead to account takeover, data leakage, and potential lateral movement within an organization's communication infrastructure. Since Rocket.Chat is often used for secure internal and external communications, exploitation could disrupt business operations, erode trust, and expose sensitive conversations or credentials. The vulnerability requires no authentication or user interaction, increasing the risk of automated or widespread attacks. Although no availability impact is indicated, the breach of confidentiality and integrity alone can have severe consequences for organizations relying on Rocket.Chat for secure messaging. The medium CVSS score reflects these risks, emphasizing the need for prompt remediation to prevent exploitation.

1. Immediate upgrade to patched Rocket.Chat versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, or 8.2.0 or later to eliminate the vulnerability. 2. Implement strict input validation and sanitization on all user-supplied data, especially in authentication flows, to ensure no special MongoDB operators or query modifiers can be injected. 3. Refactor query construction to use parameterized queries or safe query builder APIs that separate data from query logic, preventing injection. 4. Conduct code audits focusing on NoSQL query handling to identify and remediate similar injection risks elsewhere in the codebase. 5. Monitor authentication logs for anomalous login attempts or unusual query patterns indicative of injection attempts. 6. Employ Web Application Firewalls (WAFs) or runtime application self-protection (RASP) solutions capable of detecting and blocking NoSQL injection payloads targeting MongoDB. 7. Educate developers on secure coding practices related to NoSQL databases and injection prevention. 8. Maintain an incident response plan to quickly address any suspected exploitation.