CVE-2026-30831 (GCVE-0-2026-30831)
Vulnerability from cvelistv5 – Published: 2026-03-06 17:40 – Updated: 2026-03-11 03:56
VLAI?
Title
Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer
Summary
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
Severity ?
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RocketChat | Rocket.Chat |
Affected:
< 7.10.8
Affected: < 7.11.5 Affected: < 7.12.5 Affected: < 7.13.4 Affected: < 8.0.2 Affected: < 8.1.1 Affected: < 8.2.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30831",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T03:56:34.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rocket.Chat",
"vendor": "RocketChat",
"versions": [
{
"status": "affected",
"version": "\u003c 7.10.8"
},
{
"status": "affected",
"version": "\u003c 7.11.5"
},
{
"status": "affected",
"version": "\u003c 7.12.5"
},
{
"status": "affected",
"version": "\u003c 7.13.4"
},
{
"status": "affected",
"version": "\u003c 8.0.2"
},
{
"status": "affected",
"version": "\u003c 8.1.1"
},
{
"status": "affected",
"version": "\u003c 8.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat\u0027s enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-304",
"description": "CWE-304: Missing Critical Step in Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:40:27.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63"
}
],
"source": {
"advisory": "GHSA-7qr6-q62g-hm63",
"discovery": "UNKNOWN"
},
"title": "Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30831",
"datePublished": "2026-03-06T17:40:27.824Z",
"dateReserved": "2026-03-05T21:06:44.606Z",
"dateUpdated": "2026-03-11T03:56:34.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-30831\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T18:16:21.817\",\"lastModified\":\"2026-03-13T18:52:27.577\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat\u0027s enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.\"},{\"lang\":\"es\",\"value\":\"Rocket.Chat es una plataforma de comunicaciones de c\u00f3digo abierto, segura y totalmente personalizable. Antes de las versiones 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1 y 8.2.0, existen vulnerabilidades de autenticaci\u00f3n en el servicio DDP Streamer empresarial de Rocket.Chat. El m\u00e9todo Account.login expuesto a trav\u00e9s del DDP Streamer no aplica la autenticaci\u00f3n de dos factores (2FA) ni valida el estado de la cuenta de usuario (los usuarios desactivados a\u00fan pueden iniciar sesi\u00f3n), a pesar de que estas comprobaciones son obligatorias en el flujo de inicio de sesi\u00f3n est\u00e1ndar de Meteor. Este problema ha sido parcheado en las versiones 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1 y 8.2.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"},{\"lang\":\"en\",\"value\":\"CWE-304\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.10.8\",\"matchCriteriaId\":\"2B46CE2E-8C7D-4F11-B0CF-C73A3718A56B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.11.0\",\"versionEndExcluding\":\"7.11.5\",\"matchCriteriaId\":\"7AF8C2C1-73C3-4FB7-889A-5A6FD8E6C6C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.12.0\",\"versionEndExcluding\":\"7.12.5\",\"matchCriteriaId\":\"A7339A16-6F5B-47D2-8D6C-289E4E7DB99C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.13.0\",\"versionEndExcluding\":\"7.13.4\",\"matchCriteriaId\":\"87EB1237-813C-4834-89ED-52A66F3E157D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.0.2\",\"matchCriteriaId\":\"F1615F6F-6774-4B2F-AA6C-ABD2397284B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.1.0\",\"versionEndExcluding\":\"8.1.1\",\"matchCriteriaId\":\"E5C728C6-E42D-4842-8466-2ABC6151B8E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc0:*:*:*:*:*:*\",\"matchCriteriaId\":\"158A7899-8BF4-4BAB-ABC1-28A294BA1F3F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7393A14-F640-449F-8D2E-B0E5D0734A0F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"57CDF8CA-080D-4E50-8758-06085FF2A95C\"}]}]}],\"references\":[{\"url\":\"https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30831\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T18:35:10.303449Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T18:35:13.288Z\"}}], \"cna\": {\"title\": \"Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer\", \"source\": {\"advisory\": \"GHSA-7qr6-q62g-hm63\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"RocketChat\", \"product\": \"Rocket.Chat\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 7.10.8\"}, {\"status\": \"affected\", \"version\": \"\u003c 7.11.5\"}, {\"status\": \"affected\", \"version\": \"\u003c 7.12.5\"}, {\"status\": \"affected\", \"version\": \"\u003c 7.13.4\"}, {\"status\": \"affected\", \"version\": \"\u003c 8.0.2\"}, {\"status\": \"affected\", \"version\": \"\u003c 8.1.1\"}, {\"status\": \"affected\", \"version\": \"\u003c 8.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63\", \"name\": \"https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat\u0027s enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-304\", \"description\": \"CWE-304: Missing Critical Step in Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T17:40:27.824Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-30831\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-11T03:56:34.815Z\", \"dateReserved\": \"2026-03-05T21:06:44.606Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T17:40:27.824Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…