QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-30831

Back to search

CVE-2026-30831

Published: Mar 6, 2026

Modified: Mar 11, 2026

PUBLISHED

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

VendorProductVersions

RocketChat

Rocket.Chat

affected
< 7.10.8
affected
< 7.11.5
affected
< 7.12.5
affected
< 7.13.4
affected
< 8.0.2

+2 more versions

Weaknesses (CWE)

CWE-287
CWE-304

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now
CVE-2026-30831 - Security Vulnerability | QwikSec