CVE-2026-30831

EPSS 0.33%
Veröffentlicht 06.03.2026 17:40:27
Zuletzt bearbeitet 13.03.2026 18:52:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

NVD 9 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rocket.Chat ≫ Rocket.Chat Version < 7.10.8

Rocket.Chat ≫ Rocket.Chat Version >= 7.11.0 < 7.11.5

Rocket.Chat ≫ Rocket.Chat Version >= 7.12.0 < 7.12.5

Rocket.Chat ≫ Rocket.Chat Version >= 7.13.0 < 7.13.4

Rocket.Chat ≫ Rocket.Chat Version >= 8.0.0 < 8.0.2

Rocket.Chat ≫ Rocket.Chat Version >= 8.1.0 < 8.1.1

Rocket.Chat ≫ Rocket.Chat Version8.2.0 Updaterc0

Rocket.Chat ≫ Rocket.Chat Version8.2.0 Updaterc1

Rocket.Chat ≫ Rocket.Chat Version8.2.0 Updaterc2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.248

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-304 Missing Critical Step in Authentication

The product implements an authentication technique, but it skips a step that weakens the technique.

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-30831

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-30831

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-30831

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-30831