CVE-2026-28514

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 7.8.6 Rocket.Chat versions prior to 7.9.8 Rocket.Chat versions prior to 7.10.7 Rocket.Chat versions prior to 7.11.4 Rocket.Chat versions prior to 7.12.4 Rocket.Chat versions prior to 7.13.3 Rocket.Chat versions prior to 8.0.0

Description Rocket.Chat is a communications platform. A critical issue exists in the account service within the ddp-streamer micro service that allows an attacker to authenticate as any user with a set password, using an arbitrary password. This is due to a missing 'await' keyword when validating passwords asynchronously, resulting in a Promise object being incorrectly evaluated as a successful authentication. This could lead to account takeover if a username is known or can be guessed.

Recommendations Update Rocket.Chat to version 7.8.6 or later. Update Rocket.Chat to version 7.9.8 or later. Update Rocket.Chat to version 7.10.7 or later. Update Rocket.Chat to version 7.11.4 or later. Update Rocket.Chat to version 7.12.4 or later. Update Rocket.Chat to version 7.13.3 or later. Update Rocket.Chat to version 8.0.0 or later.