CVE-2026-28514

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/RocketChat/Rocket.Chat/commit/7d89aae0b1bd08e82b02ceab4c180b430e2c6f07	Patch
https://github.com/RocketChat/Rocket.Chat/pull/37143	Issue Tracking Patch
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-w6vw-mrgv-69vf	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat::::::::
	cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc0::::::
	cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc1::::::
	cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc2::::::
	cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc3::::::
	cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc4::::::
	cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc5::::::

History

No history.

Information

Published : 2026-03-06 18:16

Updated : 2026-03-18 16:10

NVD link : CVE-2026-28514

Mitre link : CVE-2026-28514

CVE.ORG link : CVE-2026-28514

JSON object : View

Products Affected

rocket.chat

rocket.chat

CWE

CWE-287

Improper Authentication

{"id": "CVE-2026-28514", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T18:16:19.103", "references": [{"url": "https://github.com/RocketChat/Rocket.Chat/commit/7d89aae0b1bd08e82b02ceab4c180b430e2c6f07", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/RocketChat/Rocket.Chat/pull/37143", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-w6vw-mrgv-69vf", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0."}, {"lang": "es", "value": "Rocket.Chat es una plataforma de comunicaciones de c\u00f3digo abierto, segura y totalmente personalizable. Antes de las versiones 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3 y 8.0.0, existe una vulnerabilidad cr\u00edtica de omisi\u00f3n de autenticaci\u00f3n en el servicio de cuentas de Rocket.Chat utilizado en el microservicio ddp-streamer que permite a un atacante iniciar sesi\u00f3n en el servicio como cualquier usuario con una contrase\u00f1a establecida, utilizando cualquier contrase\u00f1a arbitraria. La vulnerabilidad se deriva de la ausencia de la palabra clave await al llamar a una funci\u00f3n as\u00edncrona de validaci\u00f3n de contrase\u00f1a, lo que provoca que se eval\u00fae un objeto Promise (que siempre es truthy) en lugar del resultado de validaci\u00f3n booleano real. Esto puede llevar a la toma de control de la cuenta de cualquier usuario cuyo nombre de usuario sea conocido o adivinable. Este problema ha sido parcheado en las versiones 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3 y 8.0.0."}], "lastModified": "2026-03-18T16:10:07.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDF1710B-451A-45DE-92B2-5EB0DB847964", "versionEndExcluding": "7.8.6"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "624B69A1-3489-4BC3-9A47-AC5AC4743CE8", "versionEndExcluding": "7.9.8", "versionStartIncluding": "7.9.0"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3A1AA90D-199C-4AA9-96CA-3CFD7E043572", "versionEndExcluding": "7.10.7", "versionStartIncluding": "7.10.0"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A10B0BA-17CC-4AFF-A2F4-20E5252EB0F1", "versionEndExcluding": "7.11.4", "versionStartIncluding": "7.11.0"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B33BA4A7-71F3-42EE-A29B-936AA166CA45", "versionEndExcluding": "7.12.4", "versionStartIncluding": "7.12.0"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "50874BCF-361F-416D-9A32-E6C43E12E218", "versionEndExcluding": "7.13.3", "versionStartIncluding": "7.13.0"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92CEECD0-CC4A-4798-9139-F14FEE8608FA"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBCB3AD1-0707-49FB-B837-811D87494991"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C6204C2-7FFC-4D41-A623-D19A47469A0B"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D9076FE-EDA5-49E8-BB23-2B3FF17F70F5"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "140941C3-08BF-4920-AA63-ED00DE58AF66"}, {"criteria": "cpe:2.3:a:rocket.chat:rocket.chat:8.0.0:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3DAE103A-461A-4379-B322-577711AA0EC0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}