Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to bypass authentication and log in as any user whose username is known or guessable, using any arbitrary password.'}, {'type': 'paragraph', 'content': "The impact includes potential account takeover, unauthorized access to user accounts, and the ability to interact with Rocket.Chat's DDP methods as the compromised user."}] [3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28514 is a critical authentication bypass vulnerability in Rocket.Chat's account service used by the ddp-streamer microservice. The flaw occurs because the code fails to await an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean result. This means that an attacker can log in as any user with a password set by supplying any arbitrary password, effectively bypassing password checks."}, {'type': 'paragraph', 'content': "The root cause is a missing 'await' keyword when calling the asynchronous validatePassword function that uses bcrypt.compare(). Without awaiting, the Promise is not resolved before the check, so the password validation always passes if a bcrypt hash exists."}, {'type': 'paragraph', 'content': 'This vulnerability affects Rocket.Chat versions prior to 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, where it has been patched.'}] [3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring login attempts to the Rocket.Chat ddp-streamer microservice, specifically looking for authentication bypass attempts where any arbitrary password is accepted for known usernames.

Since the vulnerability is due to a missing await on an asynchronous password validation function, detection involves checking if the affected versions of Rocket.Chat are in use (versions prior to 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0).

You can detect vulnerable versions by querying the Rocket.Chat server version via its API or inspecting the installed package version.

• Check Rocket.Chat version via API or server: Use commands like `curl -s http://<rocketchat-host>/api/info` or check the version in the Rocket.Chat admin panel.
• Monitor websocket login attempts to `<rocketchat-host>/websocket` for suspicious authentication behavior, such as successful logins with incorrect passwords.
• Review server logs for unusual login successes or failed password validation attempts.

No specific commands for direct detection of the missing await issue are provided in the resources.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Rocket.Chat to a patched version that fixes the vulnerability.

• Upgrade Rocket.Chat to one of the patched versions: 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, or 8.0.0.

The patch involves adding the missing `await` keyword to the asynchronous password validation call, ensuring proper password verification.

Additionally, enabling strict TypeScript compiler options such as `@typescript-eslint/no-floating-promises` can help detect similar issues in the codebase.

As a temporary measure, monitor and restrict access to the Rocket.Chat websocket endpoint to trusted networks or users to reduce the risk of exploitation.

Useful 0 Not Useful 0