Platform
nodejs
Component
rocket.chat
Fixed in
7.10.9
7.11.6
7.12.6
7.13.5
8.0.3
8.1.2
8.2.1
CVE-2026-30831 describes an authentication bypass vulnerability discovered in Rocket.Chat, a popular open-source communication platform. This flaw allows attackers to circumvent Two-Factor Authentication (2FA) and potentially log in as deactivated users, compromising account security and data integrity. The vulnerability affects versions of Rocket.Chat prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0. A patch has been released to address this issue.
The primary impact of CVE-2026-30831 is the potential for unauthorized access to Rocket.Chat accounts. By exploiting this vulnerability, an attacker can bypass the standard Meteor login flow, circumventing 2FA and logging in as a legitimate user, even if their account has been deactivated. This could lead to data breaches, including access to sensitive conversations, files, and user information stored within the Rocket.Chat instance. The attacker could also potentially use the compromised account to escalate privileges or gain access to other systems within the organization, depending on the account's permissions and network configuration. This vulnerability highlights the importance of properly enforcing authentication controls, even in custom or extended functionalities like the DDP Streamer service.
CVE-2026-30831 was publicly disclosed on March 6, 2026. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet widely available, but the vulnerability's nature suggests it could be easily exploited. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2026-30831 is to upgrade Rocket.Chat to a patched version. Versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0 contain the necessary fixes. If immediate upgrade is not possible, consider temporarily restricting access to the DDP Streamer service or implementing stricter input validation on the Account.login endpoint. Review Rocket.Chat's access control lists (ACLs) to ensure that deactivated user accounts have minimal privileges. After upgrading, confirm the fix by attempting to log in with a deactivated user account and verifying that the login attempt is rejected.
Update Rocket.Chat to version 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, or 8.2.0, or a later version that contains the fix for this vulnerability. This will address the Two-Factor Authentication (2FA) bypass and login of deactivated users via the EE ddp-streamer service.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30831 is a vulnerability in Rocket.Chat versions ≤ 8.2.0 that allows attackers to bypass Two-Factor Authentication and potentially log in as deactivated users, compromising account security.
You are affected if you are running Rocket.Chat versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, or 8.2.0. Upgrade to a patched version to mitigate the risk.
Upgrade Rocket.Chat to version 7.10.8 or later. If immediate upgrade is not possible, consider restricting access to the DDP Streamer service.
While no active exploitation has been confirmed, the vulnerability's nature suggests it could be easily exploited. Monitor security advisories and threat intelligence feeds.
Refer to the official Rocket.Chat security advisory for CVE-2026-30831 on the Rocket.Chat website or their security announcement channels.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.