TROYANOSYVIRUS
Volver a CVEs

CVE-2026-28514

CRITICAL
9.8

Descripcion

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.

Detalles CVE

Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado3/6/2026
Ultima modificacion3/18/2026
Fuentenvd
Avistamientos honeypot0

Productos afectados

rocket.chat:rocket.chat

Debilidades (CWE)

CWE-287

Referencias

https://github.com/RocketChat/Rocket.Chat/commit/7d89aae0b1bd08e82b02ceab4c180b430e2c6f07(security-advisories@github.com)
https://github.com/RocketChat/Rocket.Chat/pull/37143(security-advisories@github.com)
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-w6vw-mrgv-69vf(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.