CVE-2026-30831
Published: 06 March 2026
Summary
CVE-2026-30831 is a critical-severity Improper Authentication (CWE-287) vulnerability in Rocket.Chat Rocket.Chat. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-2 requires identification and authentication for organizational users, including multi-factor authentication and validation of account status, directly preventing bypasses in services like the DDP Streamer Account.login method.
AC-2 mandates proper account management, including deactivation and validation of user account status prior to access, blocking logins by deactivated accounts via vulnerable paths.
IA-5 ensures management of authenticators such as 2FA tokens, enforcing their use in all authentication flows including the enterprise DDP Streamer service.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing Rocket.Chat DDP service enables remote exploitation of the application (T1190) to obtain unauthorized access to valid user accounts by skipping 2FA and deactivation checks (T1078).
NVD Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce…
more
Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
Deeper analysisAI
CVE-2026-30831 is an authentication bypass vulnerability in Rocket.Chat, an open-source communications platform. It affects the enterprise DDP Streamer service, where the Account.login method fails to enforce Two-Factor Authentication (2FA) or validate user account status, allowing logins even for deactivated accounts. These checks are required in the standard Meteor login flow but are missing here. The flaw impacts Rocket.Chat versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and associated CWEs-287 (Improper Authentication) and CWE-304 (Missing Critical Step in Authentication).
Unauthenticated attackers can exploit this over the network with low complexity and no user interaction by targeting the DDP Streamer service's Account.login method. Successful exploitation bypasses 2FA and account deactivation checks, granting full access to any targeted user account, potentially enabling high-impact confidentiality, integrity, and availability violations such as data exfiltration, account takeover, or disruptive actions within the platform.
Rocket.Chat has patched the vulnerability in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0. Security practitioners should upgrade to one of these fixed releases immediately. Additional details are available in the official advisory at https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63.
Details
- CWE(s)