Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.

INFO

Published Date :

2026-03-06T17:35:01.841Z

Last Modified :

2026-03-11T03:56:35.920Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28514 vulnerability.

Vendors Products
Rocket.chat
  • Rocket.chat
Rocketchat
  • Rocket.chat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28514.

URL Resource
https://github.com/RocketChat/Rocket.Chat/commit/7d89aae0b1bd08e82b02ceab4c180b430e2c6f07 cve-icon cve-icon
https://github.com/RocketChat/Rocket.Chat/pull/37143 cve-icon cve-icon
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-w6vw-mrgv-69vf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact