PT-2026-23737 · Rocket.Chat · Rocket.Chat
P-
·
Publicado
2026-03-06
·
Atualizado
2026-03-13
·
CVE-2026-30831
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Rocket.Chat versions prior to 7.10.8
Rocket.Chat versions prior to 7.11.5
Rocket.Chat versions prior to 7.12.5
Rocket.Chat versions prior to 7.13.4
Rocket.Chat versions prior to 8.0.2
Rocket.Chat versions prior to 8.1.1
Rocket.Chat versions prior to 8.2.0
Description
Rocket.Chat is a communications platform. Authentication issues exist in the enterprise DDP Streamer service. The
Account.login method, exposed through the DDP Streamer, does not enforce Two-Factor Authentication (2FA) or validate user account status, allowing deactivated users to log in. These checks are normally required in the standard Meteor login process.Recommendations
Update to Rocket.Chat version 7.10.8 or later.
Update to Rocket.Chat version 7.11.5 or later.
Update to Rocket.Chat version 7.12.5 or later.
Update to Rocket.Chat version 7.13.4 or later.
Update to Rocket.Chat version 8.0.2 or later.
Update to Rocket.Chat version 8.1.1 or later.
Update to Rocket.Chat version 8.2.0 or later.
Exploit
Correção
Improper Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Rocket.Chat