CVE-2026-30831 identifies a critical improper authentication vulnerability in the Rocket.Chat enterprise DDP Streamer service. Rocket.Chat is an open-source communication platform widely used for secure messaging and collaboration. The vulnerability exists in the Account.login method exposed via the DDP Streamer, which bypasses essential authentication checks present in the standard Meteor login flow. Specifically, this method fails to enforce Two-Factor Authentication (2FA) and does not verify user account status, allowing deactivated users to authenticate successfully. This flaw stems from inconsistent authentication logic between the DDP Streamer service and the main login process, violating secure authentication principles (CWE-287). The vulnerability affects multiple versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, all of which have been patched to enforce proper 2FA and account status validation. Exploitation requires no privileges or user interaction and can be performed remotely over the network, increasing the attack surface. The vulnerability impacts confidentiality and integrity by enabling unauthorized access to potentially sensitive communications and data within Rocket.Chat deployments. No known active exploits have been reported, but the high CVSS score (8.0) reflects the severity and ease of exploitation. The issue highlights the importance of consistent authentication enforcement across all service interfaces in complex applications.

The vulnerability allows attackers to bypass Two-Factor Authentication and login restrictions for deactivated accounts, granting unauthorized access to Rocket.Chat instances. This can lead to unauthorized disclosure of sensitive communications, impersonation of legitimate users, and potential lateral movement within an organization's network. The lack of 2FA enforcement significantly lowers the barrier for attackers to compromise accounts, increasing the risk of data breaches. Organizations relying on Rocket.Chat for confidential communications, especially in regulated industries or government sectors, face increased risk of espionage, data leakage, and operational disruption. The vulnerability affects all users of impacted Rocket.Chat versions, potentially exposing large user bases. Since exploitation requires no privileges or user interaction and can be performed remotely, the threat can be automated and scaled. Although no exploits are currently known in the wild, the vulnerability's characteristics make it a prime target for attackers once weaponized. Failure to patch promptly could result in significant reputational damage, regulatory penalties, and loss of trust.

Organizations should immediately upgrade Rocket.Chat to one of the patched versions: 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, or 8.2.0, depending on their current version. Until upgrading is possible, administrators should restrict network access to the DDP Streamer service to trusted internal networks or VPNs to reduce exposure. Implement strict monitoring and logging of authentication attempts on Rocket.Chat instances to detect anomalous login behavior, particularly from deactivated accounts or failed 2FA attempts. Review and enforce account lifecycle management policies to ensure deactivated accounts are promptly disabled across all authentication interfaces. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious DDP Streamer login requests. Conduct internal audits to verify that all authentication flows consistently enforce 2FA and account status checks. Educate users and administrators about the importance of applying security patches promptly and monitoring for unusual activity. Finally, integrate Rocket.Chat security updates into the organization's vulnerability management and patching processes to prevent future lapses.