CVE-2026-30831CRITICAL 9.8EPSS p24.9%

CVE-2026-30831CVE-2026-30831

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.33% probability of exploitation · percentile 24.9% · 2026-06-18T12:00:27Z
Published2026-03-06
Last modified2026-03-13

Underlying weaknesses· 2

CWE-287CWE-304

References

  1. https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63

2

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live
WeaknessMissing Critical Step in Authenticationcwe-3040%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28514
CVE
CVE-2026-32995
CVE
CVE-2026-29198
CVE
CVE-2026-33265
CVE
CVE-2025-8850
CVE
Apache RocketMQ Command Execution Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.