CVE-2026-30831
Authentication Bypass in Rocket.Chat DDP Streamer Allows Unauthorized Login
Publication date: 2026-03-06
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rocket.chat | rocket.chat | to 7.10.8 (exc) |
| rocket.chat | rocket.chat | From 7.11.0 (inc) to 7.11.5 (exc) |
| rocket.chat | rocket.chat | From 7.12.0 (inc) to 7.12.5 (exc) |
| rocket.chat | rocket.chat | From 7.13.0 (inc) to 7.13.4 (exc) |
| rocket.chat | rocket.chat | From 8.0.0 (inc) to 8.0.2 (exc) |
| rocket.chat | rocket.chat | From 8.1.0 (inc) to 8.1.1 (exc) |
| rocket.chat | rocket.chat | 8.2.0 |
| rocket.chat | rocket.chat | 8.2.0 |
| rocket.chat | rocket.chat | 8.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-304 | The product implements an authentication technique, but it skips a step that weakens the technique. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30831 is a critical authentication vulnerability in Rocket.Chat's enterprise DDP Streamer service affecting versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) nor validate the user account status, unlike the standard Meteor login flow which performs these mandatory checks.'}, {'type': 'paragraph', 'content': 'As a result, deactivated users can still log in, and attackers can bypass 2FA, increasing the risk of account takeover through brute-force or password spraying attacks.'}, {'type': 'paragraph', 'content': 'The root cause is missing 2FA validation and account status checks in the DDP Streamer login code, which contrasts with the standard login flow that verifies TOTP codes and user activity status.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious security impacts including unauthorized access to user accounts.'}, {'type': 'list_item', 'content': 'Deactivated users can regain access to the system despite being disabled.'}, {'type': 'list_item', 'content': 'Attackers can bypass Two-Factor Authentication (2FA), making it easier to perform account takeover attacks such as brute-force or password spraying.'}, {'type': 'paragraph', 'content': "These issues can lead to compromised accounts, data breaches, and loss of trust in the platform's security."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the Account.login method exposed through Rocket.Chat's enterprise DDP Streamer service bypassing Two-Factor Authentication (2FA) and user account status validation."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability on your system, you should monitor login attempts that bypass 2FA or allow deactivated users to log in.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the authentication flow, you can check logs for successful logins from deactivated accounts or logins without 2FA verification.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Review Rocket.Chat server logs for login events where 2FA was not enforced.'}, {'type': 'list_item', 'content': 'Query user account status in the database to identify any logins from accounts marked as inactive.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect unusual authentication traffic patterns targeting the DDP Streamer service.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Rocket.Chat to one of the patched versions: 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, or 8.2.0.
These versions enforce Two-Factor Authentication (2FA) and validate user account status properly in the Account.login method.
If upgrading immediately is not possible, consider temporarily disabling the enterprise DDP Streamer service or restricting access to it to trusted networks only.
Additionally, review and enforce 2FA policies manually and monitor for any login attempts from deactivated accounts.
Long-term remediation includes consolidating authentication logic to unify security controls and implementing integration tests to ensure 2FA enforcement on all authentication endpoints.