CVE-2026-30831
HIGH
CVSS 8.0
No EPSS data
Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-30831",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 9.8,
"attackVector": "NETWORK",
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "NONE",
"confidentialityImpact": "HIGH"
},
"impactScore": 5.9,
"exploitabilityScore": 3.9
}
],
"cvssMetricV40": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"Safety": "NOT_DEFINED",
"version": "4.0",
"Recovery": "NOT_DEFINED",
"baseScore": 8,
"Automatable": "NOT_DEFINED",
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"exploitMaturity": "UNREPORTED",
"providerUrgency": "NOT_DEFINED",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"subIntegrityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"vulnAvailabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"subConfidentialityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED"
}
}
]
},
"published": "2026-03-06T18:16:21.817",
"references": [
{
"url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Primary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-304"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0."
},
{
"lang": "es",
"value": "Rocket.Chat es una plataforma de comunicaciones de c\u00f3digo abierto, segura y totalmente personalizable. Antes de las versiones 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1 y 8.2.0, existen vulnerabilidades de autenticaci\u00f3n en el servicio DDP Streamer empresarial de Rocket.Chat. El m\u00e9todo Account.login expuesto a trav\u00e9s del DDP Streamer no aplica la autenticaci\u00f3n de dos factores (2FA) ni valida el estado de la cuenta de usuario (los usuarios desactivados a\u00fan pueden iniciar sesi\u00f3n), a pesar de que estas comprobaciones son obligatorias en el flujo de inicio de sesi\u00f3n est\u00e1ndar de Meteor. Este problema ha sido parcheado en las versiones 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1 y 8.2.0."
}
],
"lastModified": "2026-03-13T18:52:27.577",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2B46CE2E-8C7D-4F11-B0CF-C73A3718A56B",
"versionEndExcluding": "7.10.8"
},
{
"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7AF8C2C1-73C3-4FB7-889A-5A6FD8E6C6C1",
"versionEndExcluding": "7.11.5",
"versionStartIncluding": "7.11.0"
},
{
"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A7339A16-6F5B-47D2-8D6C-289E4E7DB99C",
"versionEndExcluding": "7.12.5",
"versionStartIncluding": "7.12.0"
},
{
"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "87EB1237-813C-4834-89ED-52A66F3E157D",
"versionEndExcluding": "7.13.4",
"versionStartIncluding": "7.13.0"
},
{
"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F1615F6F-6774-4B2F-AA6C-ABD2397284B1",
"versionEndExcluding": "8.0.2",
"versionStartIncluding": "8.0.0"
},
{
"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E5C728C6-E42D-4842-8466-2ABC6151B8E8",
"versionEndExcluding": "8.1.1",
"versionStartIncluding": "8.1.0"
},
{
"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc0:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "158A7899-8BF4-4BAB-ABC1-28A294BA1F3F"
},
{
"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F7393A14-F640-449F-8D2E-B0E5D0734A0F"
},
{
"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "57CDF8CA-080D-4E50-8758-06085FF2A95C"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}