Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
Published: 2026-03-06
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass / Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in Rocket.Chat’s Enterprise DDP Streamer service. The Account.login method exposed through this service does not enforce two‑factor authentication and fails to check whether an account has been deactivated. An attacker can use this method to authenticate as any user without providing the second factor and can also log in with accounts that are marked as deactivated, thereby bypassing standard security controls. This allows unauthorised access to the application and potentially to any data within the system.

Affected Systems

Affected products include Rocket.Chat Enterprise editions running Rocket.Chat versions 7.10.7 and earlier, 7.11.4 and earlier, 7.12.4 and earlier, 7.13.3 and earlier, 8.0.1 and earlier, 8.1.0 and earlier, and 8.2.0 before the update. The issue also affects release candidate builds 8.2.0‑rc0 to rc2. Security updates released in the corresponding minor versions (7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0) contain the fix.

Risk and Exploitability

The vulnerability has a CVSS score of 8, classifying it as high severity. The EPSS score is less than 1%, indicating a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The attack can be carried out remotely by anyone who can reach the Enterprise DDP Streamer endpoint, with no special authentication required. An attacker could simply issue a valid Account.login request over the DDP stream to gain access to any account without the second factor or to re‑activate a deactivated account.

Generated by OpenCVE AI on April 16, 2026 at 04:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the patched Rocket.Chat version 7.10.8 or later for each affected release line, ensuring that the Enterprise DDP Streamer service is updated.
  • If an immediate upgrade is not possible, block or disable access to the Enterprise DDP Streamer endpoint using firewall rules or by turning off the feature in the system configuration.
  • Enforce two‑factor authentication for all login flows at the application layer to mitigate the risk of unauthorized access until the vulnerability is fully patched.

Generated by OpenCVE AI on April 16, 2026 at 04:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Rocket.chat
Rocket.chat rocket.chat
CPEs cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*
cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc0:*:*:*:*:*:*
cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc2:*:*:*:*:*:*
Vendors & Products Rocket.chat
Rocket.chat rocket.chat
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rocketchat
Rocketchat rocket.chat
Vendors & Products Rocketchat
Rocketchat rocket.chat

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
Title Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer
Weaknesses CWE-287
CWE-304
References
Metrics cvssV4_0

{'score': 8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Rocket.chat Rocket.chat
Rocketchat Rocket.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T03:56:34.815Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30831

cve-icon Vulnrichment

Updated: 2026-03-06T18:35:13.288Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T18:16:21.817

Modified: 2026-03-13T18:52:27.577

Link: CVE-2026-30831

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:45:16Z

Weaknesses