9.8
CVE-2026-28514
- EPSS 0.5%
- Veröffentlicht 06.03.2026 17:35:01
- Zuletzt bearbeitet 18.03.2026 16:10:07
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Rocket.Chat: Users can login with any password via the EE ddp-streamer-service
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Rocket.Chat ≫ Rocket.Chat Version < 7.8.6
Rocket.Chat ≫ Rocket.Chat Version >= 7.9.0 < 7.9.8
Rocket.Chat ≫ Rocket.Chat Version >= 7.10.0 < 7.10.7
Rocket.Chat ≫ Rocket.Chat Version >= 7.11.0 < 7.11.4
Rocket.Chat ≫ Rocket.Chat Version >= 7.12.0 < 7.12.4
Rocket.Chat ≫ Rocket.Chat Version >= 7.13.0 < 7.13.3
Rocket.Chat ≫ Rocket.Chat Version8.0.0 Updaterc0
Rocket.Chat ≫ Rocket.Chat Version8.0.0 Updaterc1
Rocket.Chat ≫ Rocket.Chat Version8.0.0 Updaterc2
Rocket.Chat ≫ Rocket.Chat Version8.0.0 Updaterc3
Rocket.Chat ≫ Rocket.Chat Version8.0.0 Updaterc4
Rocket.Chat ≫ Rocket.Chat Version8.0.0 Updaterc5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.5% | 0.386 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 9.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-w6vw-mrgv-69vf
https://github.com/RocketChat/Rocket.Chat/pull/37143
https://github.com/RocketChat/Rocket.Chat/commit/7d89aae0b1bd08e82b02ceab4c180b430e2c6f07