CRITICAL🇵🇱 Wersja polska

CVE-2026-28514

CVSS 9.3v4.0pub. 2026-03-06upd. 2026-03-18

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Rocket.chat

    APP
    Rocket.Chat
    8.0.07.9.0 – 7.9.8 (bez)7.10.0 – 7.10.7 (bez)< 7.8.67.12.0 – 7.12.4 (bez)7.13.0 – 7.13.3 (bez)7.11.0 – 7.11.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-48616CRITICAL9.3ten sam produkt

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerab...

CVE-2026-29198CRITICAL9.8PL ✓ten sam produkt

Rocket.Chat — NoSQL injection umożliwiający przejęcie konta (SQLi)

CVE-2023-28316CRITICAL9.8ten sam produkt

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where o...

CVE-2022-44567CRITICAL9.8ten sam produkt

A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a...

CVE-2021-22910CRITICAL9.8ten sam produkt

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed quer...