2FA bypass and login of deactivated users via EE ddp-streamer (GHSL-2026-008)

Authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow.

The code at ee/apps/account-service/src/Account.ts#L31-L40 does not enforce a 2FA check and it does not validate the account status of a user, whereas onValidateLogin checks the TOTP code and validateLoginAttemptAsync checks if the user is active.

Impact

This missing user account status checked might lead to deactivated users being able to login. The missing 2FA enforcement might lead to successful account takeover through a brute-force based attack (e.g. password spraying).

Remediation

Enforce 2FA in Account.login and reject logins for users where active === false in both loginViaUsername.ts and loginViaResume.ts.

Long-term Recommendations

• Consolidate authentication logic to ensure all login paths use the same security controls
• Add integration tests that verify 2FA is enforced across all authentication endpoints

CWEs

• CWE-287: Improper Authentication
• CWE-304: Missing Critical Step in Authentication

Credit

These issues were discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2026-008 or GHSL-2026-009 in any communication regarding these issues.

Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.