PT-2026-23737 · Rocket.Chat · Rocket.Chat
P-
·
Published
2026-03-06
·
Updated
2026-03-13
·
CVE-2026-30831
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Rocket.Chat versions prior to 7.10.8
Rocket.Chat versions prior to 7.11.5
Rocket.Chat versions prior to 7.12.5
Rocket.Chat versions prior to 7.13.4
Rocket.Chat versions prior to 8.0.2
Rocket.Chat versions prior to 8.1.1
Rocket.Chat versions prior to 8.2.0
Description
Rocket.Chat is a communications platform. Authentication issues exist in the enterprise DDP Streamer service. The
Account.login method, exposed through the DDP Streamer, does not enforce Two-Factor Authentication (2FA) or validate user account status, allowing deactivated users to log in. These checks are normally required in the standard Meteor login process.Recommendations
Update to Rocket.Chat version 7.10.8 or later.
Update to Rocket.Chat version 7.11.5 or later.
Update to Rocket.Chat version 7.12.5 or later.
Update to Rocket.Chat version 7.13.4 or later.
Update to Rocket.Chat version 8.0.2 or later.
Update to Rocket.Chat version 8.1.1 or later.
Update to Rocket.Chat version 8.2.0 or later.
Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Rocket.Chat