CVE-2026-30831

CRITICAL

Rocket.Chat <8.2.0 - Auth Bypass

Title source: llm

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

References (1)

[Vendor Advisory] https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63

Scores

CVSS v3 9.8

EPSS 0.0008

EPSS Percentile 22.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-304 CWE-287

Status published

Products (2)

rocket.chat/rocket.chat 8.2.0 rc0 (3 CPE variants)

rocket.chat/rocket.chat < 7.10.8

Published Mar 06, 2026

Tracked Since Mar 07, 2026