Plateforme
nodejs
Composant
rocket.chat
Corrigé dans
7.8.7
7.9.9
7.10.8
7.11.5
7.12.5
7.13.4
8.0.1
CVE-2026-28514 describes a critical authentication bypass vulnerability discovered in Rocket.Chat, a popular open-source communication platform. This flaw allows an attacker to log in as any user, effectively gaining unauthorized access to their accounts. The vulnerability affects versions of Rocket.Chat prior to 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0. A fix is available in version 8.0.0.
The impact of this vulnerability is severe. An attacker can bypass Rocket.Chat's authentication mechanism and impersonate any user within the system. This allows them to read sensitive messages, access confidential data, modify user profiles, and potentially escalate privileges to gain administrative control. The ability to log in as any user significantly expands the attack surface and could lead to widespread data breaches and disruption of communication channels. This vulnerability is particularly concerning given Rocket.Chat's use in organizations handling sensitive information.
CVE-2026-28514 was publicly disclosed on 2026-03-06. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on CISA KEV as of this writing. The root cause is a missing await keyword in an asynchronous password validation function, leading to a Promise object being evaluated instead of a boolean result. This is a common coding error that can lead to authentication bypasses.
Organizations and teams relying on Rocket.Chat for internal or external communication are at risk, particularly those using older, unpatched versions. Shared hosting environments where multiple Rocket.Chat instances share resources are also at increased risk, as a compromise of one instance could potentially impact others.
• nodejs / server: Monitor Rocket.Chat logs for unusual login patterns, particularly failed login attempts followed by successful logins with arbitrary passwords. Use journalctl -u rocket.chat to filter for authentication-related events.
• generic web: Monitor access logs for requests to the authentication endpoint with unusual parameters or patterns.
• database (mongodb): Examine the Rocket.Chat MongoDB database for unexpected user accounts or modified user profiles.
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 13%)
CISA SSVC
The primary mitigation for CVE-2026-28514 is to immediately upgrade Rocket.Chat to version 8.0.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to sensitive features and closely monitoring user activity for suspicious logins. While a direct WAF rule is difficult to implement for this authentication bypass, strict rate limiting on login attempts can help mitigate brute-force attacks. Review Rocket.Chat's security best practices for additional hardening measures.
Mettez à jour Rocket.Chat vers la version 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3 ou 8.0.0, ou une version ultérieure. Cela corrige la vulnérabilité de contournement d'authentification dans le service ddp-streamer.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-28514 is a critical vulnerability in Rocket.Chat versions before 8.0.0 that allows attackers to bypass authentication and log in as any user with a password.
You are affected if you are running Rocket.Chat versions prior to 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, or 8.0.0.
Upgrade Rocket.Chat to version 8.0.0 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation of CVE-2026-28514, but it is crucial to apply the patch promptly.
Refer to the official Rocket.Chat security advisory for detailed information and updates: [https://rocket.chat/security/advisories/](https://rocket.chat/security/advisories/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.