CVE-2026-28514
Published: 06 March 2026
Summary
CVE-2026-28514 is a critical-severity Improper Authentication (CWE-287) vulnerability in Rocket.Chat Rocket.Chat. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly and comprehensively mitigates this CVE by requiring timely identification, reporting, and correction of the authentication bypass flaw via patching to fixed Rocket.Chat versions.
Partially addresses the vulnerability by mandating proper management and verification of password authenticators, reducing risks from flawed asynchronous validation logic.
Partially mitigates the authentication bypass by requiring robust identification and authentication for organizational users, preventing unauthorized access when properly implemented.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass vuln in public-facing Rocket.Chat service (missing await on async validation) directly enables remote unauthenticated login as any valid user account via T1190; resulting access abuses existing accounts per T1078.
NVD Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker…
more
to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.
Deeper analysisAI
CVE-2026-28514 is a critical authentication bypass vulnerability (CWE-287) in Rocket.Chat, an open-source communications platform. It affects the account service used in the ddp-streamer microservice across versions prior to 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0. The flaw stems from a missing "await" keyword when invoking an asynchronous password validation function, resulting in a Promise object—which is always truthy—being evaluated instead of the actual boolean validation outcome.
An unauthenticated attacker with network access (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8) can exploit this to log in as any targeted user who has a password set, using any arbitrary password, as long as the username is known or guessable. Successful exploitation leads to complete account takeover, potentially compromising the victim's communications, data access, and administrative privileges within the platform.
Rocket.Chat has patched the vulnerability in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0. Security teams should prioritize upgrading affected deployments to these versions. Additional details on the fix are provided in the GitHub security advisory (GHSA-w6vw-mrgv-69vf), pull request #37143, and commit 7d89aae0b1bd08e82b02ceab4c180b430e2c6f07.
Details
- CWE(s)