Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN278
_____________________________________________________________________

DATE                : 10/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Rocket.Chat versions prior
                      to 8.0.0, 7.13.3, 7.12.4, 7.11.4, 7.10.7,
                                   7.9.8, 7.8.6.

=====================================================================
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-w6vw-mrgv-69vf
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-hgq6-9jg2-wf3f
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-7qr6-q62g-hm63
_____________________________________________________________________


Users can login with any password via the EE ddp-streamer-service
Critical
julio-rocketchat published GHSA-w6vw-mrgv-69vf Mar 5, 2026

Package
No package listed

Affected versions
< 8.0.0, < 7.13.3, < 7.12.4, < 7.11.4, < 7.10.7, < 7.9.8, < 7.8.6

Patched versions
8.0.0, 7.13.3, 7.12.4, 7.11.4, 7.10.7, 7.9.8, 7.8.6


Description
Issue 1: Users can login with any password via the EE
ddp-streamer-service GHSL-2026-004)

A critical authentication bypass vulnerability exists in Rocket.Chat's
account service used in the ddp-streamer micro service that allows an
attacker to log in to the service as any user with a password set,
using any arbitrary password. The vulnerability stems from a missing
await keyword when calling an asynchronous password validation function,
causing a Promise object (which is always truthy) to be evaluated
instead of the actual boolean validation result. This may lead to account
takeover of any user whose username is known or guessable.

The vulnerability originates from improper handling of asynchronous
password validation in the authentication flow:

    Password Validation Function - ee/apps/account-service/src/lib/utils.ts

    The validatePassword function returns a Promise<boolean> by calling
bcrypt.compare():

    export const validatePassword = (password: string, bcryptPassword: string): Promise<boolean> =>
        bcrypt.compare(getPassword(password), bcryptPassword);

Missing Await in Login Logic - ee/apps/account-service/src/lib/loginViaUsername.ts

The critical flaw occurs when validatePassword is called without await:

const valid = user.services?.password?.bcrypt && validatePassword(password, user.services.password.bcrypt);

if (!valid) {
    return false;
}

Since a Promise object is always truthy in JavaScript, the condition
!valid is never true when a bcrypt hash exists, bypassing password
validation entirely.

The vulnerability is externally reachable through the login method exposed
by the ddp-streamer micro service (reachable via <rocketchat-host>/websocket):

   server.methods({
       async login(resume, user, password) {
           const result = await Account.login({ resume, user, password });
           // ...
       }
   });

Impact

This issue leads to attackers being able to interact with available DDP
methods, which may lead to account takeover depending on the attack path.


Remediation

Add the missing await to the validatePassword call.
Enable strict TypeScript compiler options to catch unawaited promises
(@typescript-eslint/no-floating-promises)


CWEs

    CWE-287: Improper Authentication


Credit

These issues were discovered by an AI agent developed by the GitHub Security
Lab and reviewed by GHSL team members @p- (Peter Stöckli) and @m-y-mo
(Man Yue Mo).


Contact

You can contact the GHSL team at securitylab@github.com, please include a
reference to GHSL-2026-004 or GHSL-2026-005 in any communication regarding
these issues.
Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in
more detail in our coordinated disclosure policy.


Severity
Critical

CVE ID
CVE-2026-28514

Weaknesses
Weakness CWE-287

Credits

    @p- p- Reporter


_____________________________________________________________________


NoSQL injection in the EE ddp-streamer-service
High
julio-rocketchat published GHSA-hgq6-9jg2-wf3f Mar 5, 2026

Package
No package listed

Affected versions
<8.2.0, <8.1.1, <8.0.2, <7.13.4, <7.12.5, <7.11.5, <7.10.8

Patched versions
8.2.0, 8.1.1, 8.0.2, 7.13.4, 7.12.5, 7.11.5, 7.10.8


Description

Issue 2: NoSQL injection in the EE ddp-streamer-service (GHSL-2026-005)

A NoSQL injection vulnerability exists in Rocket.Chat's account service
used in the ddp-streamer micro service that allows unauthenticated
attackers to manipulate MongoDB queries during authentication. The
vulnerability is located in the username-based login flow where
user-supplied input is directly embedded into a MongoDB query selector
without validation. An attacker can inject MongoDB operator expressions
(e.g., { $regex: '.*' }) in place of a username string, causing the
database query to match unintended user records.

The NoSQL injection surface exists in the authentication flow where the
username parameter from the client is used directly in a MongoDB
findOne query without type or content validation.

ee/apps/account-service/src/lib/loginViaUsername.ts:

Users.findOne<IUser>({ username }, { projection: { 'services.password.bcrypt': 1 } });

The vulnerability is externally reachable through the login method exposed
by the ddp-streamer micro service (reachable via <rocketchat-host>/websocket):

   server.methods({
       async login(resume, user, password) {
           const result = await Account.login({ resume, user, password });
           // ...
       }
   });


Impact

This issue may lead to enable logins without fully knowing the usernames
of users (especially in combination with GHSL-2026-004).
Remediation

Validate that the username parameter is a primitive string before using
it in the query and/or use parameterized queries if possible.

CWEs

    CWE-943: Improper Neutralization of Special Elements in Data Query Logic


Credit

These issues were discovered by an AI agent developed by the GitHub
Security Lab and reviewed by GHSL team members @p- (Peter Stöckli) and
@m-y-mo (Man Yue Mo).


Contact

You can contact the GHSL team at securitylab@github.com, please include
a reference to GHSL-2026-004 or GHSL-2026-005 in any communication
regarding these issues.


Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in
more detail in our coordinated disclosure policy.


Severity
High

CVE ID
CVE-2026-30833

Weaknesses
Weakness CWE-943

Credits

    @p- p- Reporter


_____________________________________________________________________


2FA bypass and login of deactivated users via EE ddp-streamer
High
julio-rocketchat published GHSA-7qr6-q62g-hm63 Mar 5, 2026

Package
No package listed

Affected versions
<8.2.0, <8.1.1, <8.0.2, <7.13.4, <7.12.5, <7.11.5, <7.10.8

Patched versions
8.2.0, 8.1.1, 8.0.2, 7.13.4, 7.12.5, 7.11.5, 7.10.8


Description
2FA bypass and login of deactivated users via EE ddp-streamer
(GHSL-2026-008)

Authentication vulnerabilities exist in Rocket.Chat's enterprise DDP
Streamer service. The Account.login method exposed through the DDP
Streamer does not enforce Two-Factor Authentication (2FA) or validate
user account status (deactivated users can still login), despite these
checks being mandatory in the standard Meteor login flow.

The code at ee/apps/account-service/src/Account.ts#L31-L40 does not
enforce a 2FA check and it does not validate the account status of a
user, whereas onValidateLogin checks the TOTP code and
validateLoginAttemptAsync checks if the user is active.


Impact

This missing user account status checked might lead to deactivated users
being able to login. The missing 2FA enforcement might lead to successful
account takeover through a brute-force based attack (e.g. password
spraying).


Remediation

Enforce 2FA in Account.login and reject logins for users where
active === false in both loginViaUsername.ts and loginViaResume.ts.

Long-term Recommendations

    Consolidate authentication logic to ensure all login paths use the same
security controls
    Add integration tests that verify 2FA is enforced across all
authentication endpoints

CWEs

    CWE-287: Improper Authentication
    CWE-304: Missing Critical Step in Authentication

Credit

These issues were discovered by an AI agent developed by the GitHub Security
Lab and reviewed by GHSL team members @p- (Peter Stöckli) and
@m-y-mo (Man Yue Mo).


Contact

You can contact the GHSL team at securitylab@github.com, please include a
reference to GHSL-2026-008 or GHSL-2026-009 in any communication regarding
these issues.


Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more
detail in our coordinated disclosure policy.


Severity
High

CVE ID
CVE-2026-30831

Weaknesses
Weakness CWE-287
Weakness CWE-304


Credits

    @p- p- Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================