Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.0

Rocket.Chat: Unauthenticated Users Can Access Accounts

CVE-2026-30831
Summary

Prior versions of Rocket.Chat have a security weakness that allows unauthorized users to access accounts. This is a concern because it could let people who shouldn't have access to your account log in and do things they shouldn't be able to do. Update to a patched version of Rocket.Chat to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
rocket.chat rocket.chat <= 7.10.8
rocket.chat rocket.chat > 7.11.0 , <= 7.11.5
rocket.chat rocket.chat > 7.12.0 , <= 7.12.5
rocket.chat rocket.chat > 7.13.0 , <= 7.13.4
rocket.chat rocket.chat > 8.0.0 , <= 8.0.2
rocket.chat rocket.chat > 8.1.0 , <= 8.1.1
rocket.chat rocket.chat 8.2.0
rocket.chat rocket.chat 8.2.0
rocket.chat rocket.chat 8.2.0
Original title
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in...
Original description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
nvd CVSS4.0 8.0
Vulnerability type
CWE-287 Improper Authentication
CWE-304
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026