CVE-2026-30831

High CVSS: 8.0

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Vendor

Rocket.chat

Product

Rocket.chat

CWE

CWE-287

Yayın Tarihi

2026-03-06 18:16:21

Güncelleme

2026-03-13 18:52:27

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-287 Rocket.chat HIGH Rocket.chat 2026

Referanslar

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63

Benzer Kayıtlar

Medium

CVE-2026-30833

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.1…

Critical

CVE-2026-28514

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.…

High

CVE-2026-23477

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0,…

High

CVE-2025-7974

rocket.chat Incorrect Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to…

Medium

CVE-2025-5892

A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the f…