Platform
nodejs
Component
rocket.chat
Fixed in
7.8.7
7.9.9
7.10.8
7.11.5
7.12.5
7.13.4
8.0.1
CVE-2026-28514 describes a critical authentication bypass vulnerability discovered in Rocket.Chat, a popular open-source communication platform. This flaw allows an attacker to log in as any user, effectively gaining unauthorized access to their accounts. The vulnerability affects versions of Rocket.Chat prior to 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0. A fix is available in version 8.0.0.
The impact of this vulnerability is severe. An attacker can bypass Rocket.Chat's authentication mechanism and impersonate any user within the system. This allows them to read sensitive messages, access confidential data, modify user profiles, and potentially escalate privileges to gain administrative control. The ability to log in as any user significantly expands the attack surface and could lead to widespread data breaches and disruption of communication channels. This vulnerability is particularly concerning given Rocket.Chat's use in organizations handling sensitive information.
CVE-2026-28514 was publicly disclosed on 2026-03-06. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on CISA KEV as of this writing. The root cause is a missing await keyword in an asynchronous password validation function, leading to a Promise object being evaluated instead of a boolean result. This is a common coding error that can lead to authentication bypasses.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2026-28514 is to immediately upgrade Rocket.Chat to version 8.0.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to sensitive features and closely monitoring user activity for suspicious logins. While a direct WAF rule is difficult to implement for this authentication bypass, strict rate limiting on login attempts can help mitigate brute-force attacks. Review Rocket.Chat's security best practices for additional hardening measures.
Update Rocket.Chat to version 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, or 8.0.0, or a later version. This corrects the authentication bypass vulnerability in the ddp-streamer service.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28514 is a critical vulnerability in Rocket.Chat versions before 8.0.0 that allows attackers to bypass authentication and log in as any user with a password.
You are affected if you are running Rocket.Chat versions prior to 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, or 8.0.0.
Upgrade Rocket.Chat to version 8.0.0 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation of CVE-2026-28514, but it is crucial to apply the patch promptly.
Refer to the official Rocket.Chat security advisory for detailed information and updates: [https://rocket.chat/security/advisories/](https://rocket.chat/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.