CVE-2026-30831
Received Received - Intake
Authentication Bypass in Rocket.Chat DDP Streamer Allows Unauthorized Login

Publication date: 2026-03-06

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30831
EUVD
EUVD-2026-10054
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
rocket.chat rocket.chat to 7.10.8 (exc)
rocket.chat rocket.chat From 7.11.0 (inc) to 7.11.5 (exc)
rocket.chat rocket.chat From 7.12.0 (inc) to 7.12.5 (exc)
rocket.chat rocket.chat From 7.13.0 (inc) to 7.13.4 (exc)
rocket.chat rocket.chat From 8.0.0 (inc) to 8.0.2 (exc)
rocket.chat rocket.chat From 8.1.0 (inc) to 8.1.1 (exc)
rocket.chat rocket.chat 8.2.0
rocket.chat rocket.chat 8.2.0
rocket.chat rocket.chat 8.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-304 The product implements an authentication technique, but it skips a step that weakens the technique.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30831 is a critical authentication vulnerability in Rocket.Chat's enterprise DDP Streamer service affecting versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) nor validate the user account status, unlike the standard Meteor login flow which performs these mandatory checks.'}, {'type': 'paragraph', 'content': 'As a result, deactivated users can still log in, and attackers can bypass 2FA, increasing the risk of account takeover through brute-force or password spraying attacks.'}, {'type': 'paragraph', 'content': 'The root cause is missing 2FA validation and account status checks in the DDP Streamer login code, which contrasts with the standard login flow that verifies TOTP codes and user activity status.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have serious security impacts including unauthorized access to user accounts.'}, {'type': 'list_item', 'content': 'Deactivated users can regain access to the system despite being disabled.'}, {'type': 'list_item', 'content': 'Attackers can bypass Two-Factor Authentication (2FA), making it easier to perform account takeover attacks such as brute-force or password spraying.'}, {'type': 'paragraph', 'content': "These issues can lead to compromised accounts, data breaches, and loss of trust in the platform's security."}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves the Account.login method exposed through Rocket.Chat's enterprise DDP Streamer service bypassing Two-Factor Authentication (2FA) and user account status validation."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability on your system, you should monitor login attempts that bypass 2FA or allow deactivated users to log in.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the authentication flow, you can check logs for successful logins from deactivated accounts or logins without 2FA verification.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Review Rocket.Chat server logs for login events where 2FA was not enforced.'}, {'type': 'list_item', 'content': 'Query user account status in the database to identify any logins from accounts marked as inactive.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect unusual authentication traffic patterns targeting the DDP Streamer service.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Rocket.Chat to one of the patched versions: 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, or 8.2.0.

These versions enforce Two-Factor Authentication (2FA) and validate user account status properly in the Account.login method.

If upgrading immediately is not possible, consider temporarily disabling the enterprise DDP Streamer service or restricting access to it to trusted networks only.

Additionally, review and enforce 2FA policies manually and monitor for any login attempts from deactivated accounts.

Long-term remediation includes consolidating authentication logic to unify security controls and implementing integration tests to ensure 2FA enforcement on all authentication endpoints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30831. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart