{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30831", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-06T17:40:27.824Z", "dateUpdated": "2026-03-11T03:56:34.815Z"}, "containers": {"cna": {"title": "Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-304", "lang": "en", "description": "CWE-304: Missing Critical Step in Authentication", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63"}], "affected": [{"vendor": "RocketChat", "product": "Rocket.Chat", "versions": [{"version": "< 7.10.8", "status": "affected"}, {"version": "< 7.11.5", "status": "affected"}, {"version": "< 7.12.5", "status": "affected"}, {"version": "< 7.13.4", "status": "affected"}, {"version": "< 8.0.2", "status": "affected"}, {"version": "< 8.1.1", "status": "affected"}, {"version": "< 8.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:40:27.824Z"}, "descriptions": [{"lang": "en", "value": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0."}], "source": {"advisory": "GHSA-7qr6-q62g-hm63", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-30831"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T03:56:34.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30831", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T18:35:10.303449Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:35:13.288Z"}}], "cna": {"title": "Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer", "source": {"advisory": "GHSA-7qr6-q62g-hm63", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "RocketChat", "product": "Rocket.Chat", "versions": [{"status": "affected", "version": "< 7.10.8"}, {"status": "affected", "version": "< 7.11.5"}, {"status": "affected", "version": "< 7.12.5"}, {"status": "affected", "version": "< 7.13.4"}, {"status": "affected", "version": "< 8.0.2"}, {"status": "affected", "version": "< 8.1.1"}, {"status": "affected", "version": "< 8.2.0"}]}], "references": [{"url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63", "name": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-304", "description": "CWE-304: Missing Critical Step in Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T17:40:27.824Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30831", "state": "PUBLISHED", "dateUpdated": "2026-03-11T03:56:34.815Z", "dateReserved": "2026-03-05T21:06:44.606Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T17:40:27.824Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B46CE2E-8C7D-4F11-B0CF-C73A3718A56B", "versionEndExcluding": "7.10.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AF8C2C1-73C3-4FB7-889A-5A6FD8E6C6C1", "versionEndExcluding": "7.11.5", "versionStartIncluding": "7.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "A7339A16-6F5B-47D2-8D6C-289E4E7DB99C", "versionEndExcluding": "7.12.5", "versionStartIncluding": "7.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "87EB1237-813C-4834-89ED-52A66F3E157D", "versionEndExcluding": "7.13.4", "versionStartIncluding": "7.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1615F6F-6774-4B2F-AA6C-ABD2397284B1", "versionEndExcluding": "8.0.2", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5C728C6-E42D-4842-8466-2ABC6151B8E8", "versionEndExcluding": "8.1.1", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "158A7899-8BF4-4BAB-ABC1-28A294BA1F3F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F7393A14-F640-449F-8D2E-B0E5D0734A0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "57CDF8CA-080D-4E50-8758-06085FF2A95C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0."}, {"lang": "es", "value": "Rocket.Chat es una plataforma de comunicaciones de c\u00f3digo abierto, segura y totalmente personalizable. Antes de las versiones 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1 y 8.2.0, existen vulnerabilidades de autenticaci\u00f3n en el servicio DDP Streamer empresarial de Rocket.Chat. El m\u00e9todo Account.login expuesto a trav\u00e9s del DDP Streamer no aplica la autenticaci\u00f3n de dos factores (2FA) ni valida el estado de la cuenta de usuario (los usuarios desactivados a\u00fan pueden iniciar sesi\u00f3n), a pesar de que estas comprobaciones son obligatorias en el flujo de inicio de sesi\u00f3n est\u00e1ndar de Meteor. Este problema ha sido parcheado en las versiones 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1 y 8.2.0."}], "id": "CVE-2026-30831", "lastModified": "2026-03-13T18:52:27.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T18:16:21.817", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-304"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.10.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.11.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.12.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.13.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Rocket.Chat", "source": "cna", "vendor": "RocketChat"}, "product": "rocket.chat", "vendor": "rocketchat"}], "created": "2026-03-09T10:07:14.718285+00:00", "updated": "2026-03-09T10:07:14.718381+00:00", "vendors": ["rocketchat", "rocketchat$PRODUCT$rocket.chat"]}