Issue 2: NoSQL injection in the EE ddp-streamer-service (GHSL-2026-005)
A NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records.
The NoSQL injection surface exists in the authentication flow where the username parameter from the client is used directly in a MongoDB findOne query without type or content validation.
ee/apps/account-service/src/lib/loginViaUsername.ts:
Users.findOne<IUser>({ username }, { projection: { 'services.password.bcrypt': 1 } });The vulnerability is externally reachable through the login method exposed by the ddp-streamer micro service (reachable via <rocketchat-host>/websocket):
server.methods({
async login(resume, user, password) {
const result = await Account.login({ resume, user, password });
// ...
}
});Impact
This issue may lead to enable logins without fully knowing the usernames of users (especially in combination with GHSL-2026-004).
Remediation
Validate that the username parameter is a primitive string before using it in the query and/or use parameterized queries if possible.
CWEs
- CWE-943: Improper Neutralization of Special Elements in Data Query Logic
Credit
These issues were discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2026-004 or GHSL-2026-005 in any communication regarding these issues.
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
p- Reporter
Issue 2: NoSQL injection in the EE ddp-streamer-service (
GHSL-2026-005)A NoSQL injection vulnerability exists in Rocket.Chat's account service used in the
ddp-streamermicro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g.,{ $regex: '.*' }) in place of a username string, causing the database query to match unintended user records.The NoSQL injection surface exists in the authentication flow where the
usernameparameter from the client is used directly in a MongoDBfindOnequery without type or content validation.ee/apps/account-service/src/lib/loginViaUsername.ts:
The vulnerability is externally reachable through the
loginmethod exposed by the ddp-streamer micro service (reachable via<rocketchat-host>/websocket):Impact
This issue may lead to enable logins without fully knowing the usernames of users (especially in combination with GHSL-2026-004).
Remediation
Validate that the
usernameparameter is a primitive string before using it in the query and/or use parameterized queries if possible.CWEs
Credit
These issues were discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at
securitylab@github.com, please include a reference toGHSL-2026-004orGHSL-2026-005in any communication regarding these issues.Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.