CVE-2026-30833 is a NoSQL injection vulnerability identified in Rocket.Chat, an open-source communication platform widely used for secure messaging. The vulnerability resides in the account service component, specifically within the ddp-streamer microservice that handles authentication. In affected versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, the username-based login flow improperly embeds user-supplied input directly into MongoDB query selectors without sanitization or validation. This improper neutralization of special elements (CWE-943) enables an attacker to inject MongoDB operator expressions such as {$regex: '.*'}, which can manipulate the query logic to match unintended user records. As a result, an unauthenticated attacker can bypass authentication mechanisms by crafting malicious input that alters the query to authenticate as arbitrary users or gain unauthorized access. The vulnerability does not require any privileges or user interaction, making it easier to exploit remotely over the network. The issue has been addressed in the specified patched versions by implementing proper input validation and query construction safeguards. Although no active exploits have been reported, the medium CVSS score of 6.9 reflects the significant risk posed by this injection flaw in a critical authentication path.

The primary impact of this vulnerability is unauthorized access to Rocket.Chat accounts without valid credentials, undermining the confidentiality and integrity of communications. Attackers exploiting this flaw can impersonate legitimate users, potentially gaining access to sensitive conversations, private channels, and organizational data. This can lead to data leakage, espionage, or further lateral movement within an organization’s network. Since Rocket.Chat is often deployed in enterprise, government, and educational environments for secure collaboration, exploitation could disrupt trust and operational security. Additionally, unauthorized access could enable attackers to escalate privileges or deploy further attacks such as social engineering or malware distribution. The vulnerability affects all organizations using vulnerable Rocket.Chat versions, with a higher risk for those with sensitive or regulated data. The lack of required authentication and user interaction increases the likelihood of automated exploitation attempts if weaponized. However, no known exploits in the wild currently reduce immediate widespread impact but do not eliminate future risk.

Organizations should immediately upgrade Rocket.Chat to one of the patched versions: 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, or 8.2.0. If upgrading is not immediately feasible, implement strict input validation and sanitization on the username fields at the application or proxy level to block injection patterns such as MongoDB operators. Employ Web Application Firewalls (WAFs) with custom rules to detect and block NoSQL injection payloads targeting the login endpoint. Monitor authentication logs for anomalous login attempts or patterns indicative of injection attacks. Conduct a thorough review of user account access and audit for suspicious activity. Limit exposure by restricting access to the Rocket.Chat service to trusted networks or VPNs where possible. Educate development teams on secure coding practices to prevent injection flaws, emphasizing the importance of parameterized queries or query builders that separate data from code. Finally, maintain up-to-date backups and incident response plans to quickly recover in case of compromise.