Rocket.Chat versions prior to 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, and 7.10.9 contain a NoSQL injection flaw that can be triggered when an OAuth application is set up. By injecting malicious payloads into the OAuth configuration, an attacker can cause the system to generate an authentication token that grants control over the first user account, effectively allowing account takeover. This vulnerability directly compromises account integrity and confidentiality.

All installations of Rocket.Chat running any of the affected versions listed above. The flaw is unrelated to specific deployment environments; it exists in the core code that handles OAuth application configuration. Administrators whose servers are publicly reachable and that allow OAuth application creation are particularly at risk.

The CVSS score of 9.8 indicates a critical level of severity, while the EPSS score of less than 1% suggests that exploitation is currently rare but not impossible. The vulnerability is not yet listed in CISA’s KEV catalog, but its high score and the straightforward nature of the payload imply that an attacker who can create an OAuth app might exploit it without sophisticated tooling. The attack likely requires administrative access to the Rocket.Chat instance to add or modify OAuth applications, after which the injection can be triggered. Once the malicious token is issued, the attacker can impersonate the first user and gain full control of the system.