CVE-2026-28514 in Rocket.Chat
Summary
by MITRE • 03/06/2026
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
The vulnerability identified as CVE-2026-28514 represents a critical authentication bypass flaw in Rocket.Chat's account service within the ddp-streamer microservice. This issue affects multiple versions of the platform prior to the patched releases, creating a significant security risk for organizations relying on this communications platform. The flaw specifically targets the password validation mechanism, allowing attackers to exploit a fundamental programming error that undermines the platform's core authentication security model.
The technical root cause of this vulnerability stems from a missing await keyword in the asynchronous password validation function call. When developers omit the await keyword in asynchronous function calls, the code returns a Promise object rather than waiting for the asynchronous operation to complete and return its actual resolved value. In this case, the Promise object is inherently truthy in JavaScript, causing the authentication logic to incorrectly accept any password as valid. This fundamental error in asynchronous programming creates a logical flaw where the system evaluates the Promise object itself rather than the boolean result of the password validation process, effectively bypassing authentication entirely.
The operational impact of this vulnerability is severe and far-reaching, as it enables attackers to achieve unauthorized access to any user account within the Rocket.Chat platform. The flaw specifically allows an attacker to log in as any user with a password set, using any arbitrary password, provided they know or can guess the target username. This creates a complete account takeover scenario where malicious actors can access sensitive communications, view private messages, manipulate user data, and potentially escalate privileges within the system. The vulnerability affects the entire user base of affected versions, making it particularly dangerous for organizations with multiple users.
This vulnerability aligns with CWE-362, which describes the weakness of concurrent execution using shared resources, specifically in the context of improper handling of asynchronous operations. The flaw also relates to ATT&CK technique T1078.004, which covers valid accounts through compromised credentials, as attackers can effectively acquire valid access to user accounts without needing to bypass additional security controls. Organizations using vulnerable versions of Rocket.Chat face significant risk of data breaches, unauthorized access to communications, and potential lateral movement within their network infrastructure.
The remediation for this vulnerability requires immediate deployment of the patched versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0. System administrators should conduct comprehensive vulnerability assessments to identify all instances of affected Rocket.Chat deployments and ensure proper patching across all environments. Additionally, organizations should implement monitoring for suspicious authentication patterns and consider implementing additional security controls such as multi-factor authentication to mitigate potential exploitation of similar vulnerabilities in other parts of their infrastructure.