CVE-2026-28514 is an authentication bypass vulnerability affecting multiple versions of Rocket.Chat, an open-source communication platform. The root cause is a missing 'await' keyword in the asynchronous password validation function within the account service of the ddp-streamer microservice. Instead of awaiting the result of the password check, the code evaluates the Promise object directly, which is always truthy, causing the authentication logic to erroneously accept any password for users with a password set. This flaw allows attackers to bypass authentication controls and log in as any user whose username is known or guessable, effectively enabling account takeover. The vulnerability affects all versions prior to 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, where the issue has been patched. The CVSS 4.0 score of 9.3 reflects the critical nature of this vulnerability, with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the simplicity of exploitation and the severity of impact make this a high-priority issue for organizations using affected Rocket.Chat versions.

The vulnerability allows attackers to bypass authentication and gain unauthorized access to any user account in the affected Rocket.Chat deployments. This can lead to full account takeover, exposing sensitive communications, internal data, and potentially administrative controls if admin accounts are compromised. Confidentiality is severely impacted as attackers can read private messages and files. Integrity is at risk because attackers can impersonate users, send malicious messages, or alter data. Availability could also be affected if attackers disrupt communications or lock out legitimate users. The ease of exploitation—requiring only knowledge or guessing of a username and no valid password—makes this vulnerability particularly dangerous. Organizations relying on Rocket.Chat for secure internal or external communications face significant risks of data breaches, espionage, and operational disruption.

Organizations should immediately upgrade all Rocket.Chat instances to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, or 8.0.0 or later, where the vulnerability is patched. Until upgrades are applied, restrict access to Rocket.Chat services using network-level controls such as firewalls or VPNs to limit exposure. Implement multi-factor authentication (MFA) to reduce the impact of compromised accounts. Conduct thorough audits of user accounts and session logs to detect suspicious logins or anomalies. Review and rotate credentials for critical accounts, especially administrative users. Monitor for unusual authentication patterns and consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block exploitation attempts. Educate users about the vulnerability and encourage reporting of any suspicious activity. Finally, maintain an incident response plan to quickly address any compromise resulting from this vulnerability.