Cyber Resilience

CVE-2026-30831

High

Published: 06 March 2026

Published
06 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v4 8.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30831 is a high-severity Improper Authentication (CWE-287) vulnerability in Rocket.Chat Rocket.Chat. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-30831 is an authentication bypass vulnerability in Rocket.Chat, an open-source communications platform. It affects the enterprise DDP Streamer service, where the Account.login method fails to enforce Two-Factor Authentication (2FA) or validate user account status, allowing logins even for deactivated accounts. These checks are required in the standard Meteor login flow but are missing here. The flaw impacts Rocket.Chat versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and associated CWEs-287 (Improper Authentication) and CWE-304 (Missing Critical Step in Authentication).

Unauthenticated attackers can exploit this over the network with low complexity and no user interaction by targeting the DDP Streamer service's Account.login method. Successful exploitation bypasses 2FA and account deactivation checks, granting full access to any targeted user account, potentially enabling high-impact confidentiality, integrity, and availability violations such as data exfiltration, account takeover, or disruptive actions within the platform.

Rocket.Chat has patched the vulnerability in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0. Security practitioners should upgrade to one of these fixed releases immediately. Additional details are available in the official advisory at https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce…

more

Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Authentication bypass in public-facing Rocket.Chat DDP service enables remote exploitation of the application (T1190) to obtain unauthorized access to valid user accounts by skipping 2FA and deactivation checks (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28514Same product: Rocket.Chat Rocket.Chat
CVE-2026-29198Same product: Rocket.Chat Rocket.Chat
CVE-2026-23477Same product: Rocket.Chat Rocket.Chat
CVE-2024-12919Shared CWE-287
CVE-2026-3655Shared CWE-287
CVE-2026-0953Shared CWE-287
CVE-2026-5722Shared CWE-287
CVE-2026-30949Shared CWE-287
CVE-2026-23906Shared CWE-287
CVE-2025-67822Shared CWE-287

Affected Assets

rocket.chat
rocket.chat
8.2.0 · ≤ 7.10.8 · 7.11.0 — 7.11.5 · 7.12.0 — 7.12.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-2 requires identification and authentication for organizational users, including multi-factor authentication and validation of account status, directly preventing bypasses in services like the DDP Streamer Account.login method.

prevent

AC-2 mandates proper account management, including deactivation and validation of user account status prior to access, blocking logins by deactivated accounts via vulnerable paths.

prevent

IA-5 ensures management of authenticators such as 2FA tokens, enforcing their use in all authentication flows including the enterprise DDP Streamer service.

References