CVE-2026-30831

EUVD-2026-10054

06.03.2026, 18:16

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
rocket.chat	rocket.chat	𝑥 < 7.10.8
rocket.chat	rocket.chat	7.11.0 ≤ 𝑥 < 7.11.5
rocket.chat	rocket.chat	7.12.0 ≤ 𝑥 < 7.12.5
rocket.chat	rocket.chat	7.13.0 ≤ 𝑥 < 7.13.4
rocket.chat	rocket.chat	8.0.0 ≤ 𝑥 < 8.0.2
rocket.chat	rocket.chat	8.1.0 ≤ 𝑥 < 8.1.1
rocket.chat	rocket.chat	8.2.0:rc0
rocket.chat	rocket.chat	8.2.0:rc1
rocket.chat	rocket.chat	8.2.0:rc2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63