CVE-2026-28514 is a critical improper authentication vulnerability (CWE-287) affecting multiple versions of Rocket.Chat, an open-source communication platform. The root cause is a missing 'await' keyword in the asynchronous password validation call within the ddp-streamer microservice's account service. Instead of awaiting the asynchronous function that returns a boolean indicating password validity, the code evaluates the Promise object itself, which is always truthy. This logic flaw allows an attacker to bypass password checks entirely and authenticate as any user with a known or guessable username by submitting any arbitrary password. The vulnerability affects all versions prior to 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, where patches have been applied. Exploitation requires no privileges, no user interaction, and can be performed remotely over the network. The vulnerability compromises confidentiality, integrity, and availability by enabling full account takeover, potentially allowing attackers to access sensitive communications, impersonate users, and disrupt services. Despite no known exploits in the wild as of publication, the critical CVSS 9.3 score underscores the urgency of remediation.

The impact of CVE-2026-28514 is severe for organizations using vulnerable Rocket.Chat versions. Successful exploitation results in complete account takeover without needing valid credentials, enabling attackers to access private communications, impersonate legitimate users, and potentially escalate privileges within the platform. This can lead to data breaches, unauthorized disclosure of sensitive information, disruption of communication workflows, and loss of trust. Organizations relying on Rocket.Chat for internal or external communications, especially those in regulated industries or handling sensitive data, face significant risks of compliance violations and reputational damage. The vulnerability's ease of exploitation and lack of required authentication make it highly attractive for attackers, increasing the likelihood of targeted attacks or automated exploitation once public proof-of-concept code emerges.

To mitigate this vulnerability, organizations must promptly upgrade Rocket.Chat to one of the patched versions: 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, or 8.0.0. Immediate patching is critical to prevent unauthorized access. Additionally, organizations should audit user accounts for suspicious login activity and enforce strong username policies to reduce guessability. Implementing multi-factor authentication (MFA) can provide an additional security layer, limiting the impact of compromised credentials. Network-level protections such as IP whitelisting or VPN access for Rocket.Chat services can reduce exposure. Monitoring and alerting on anomalous authentication attempts and reviewing logs for unusual access patterns will help detect exploitation attempts early. Finally, organizations should educate users about the vulnerability and encourage prompt reporting of suspicious behavior.