Home

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

PUBLISHED Reserved 2026-03-05 | Published 2026-03-06 | Updated 2026-03-06 | Assigner GitHub_M




HIGH: 8.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Problem types

CWE-287: Improper Authentication

CWE-304: Missing Critical Step in Authentication

Product status

< 7.10.8
affected

< 7.11.5
affected

< 7.12.5
affected

< 7.13.4
affected

< 8.0.2
affected

< 8.1.1
affected

< 8.2.0
affected

References

github.com/...t.Chat/security/advisories/GHSA-7qr6-q62g-hm63

cve.org (CVE-2026-30831)

nvd.nist.gov (CVE-2026-30831)

Download JSON