Harry Sintonen#RocketChat has a critical authentication bypass vulnerability due to forgetting await keyword ("Users can login with any password via the EE ddp-streamer-servic" CVE-2026-28514):
https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-w6vw-mrgv-69vf
The vulnerability has been patched in RocketChat 8.0.0, 7.13.3, 7.12.4, 7.11.4, 7.10.7, 7.9.8 and 7.8.6.
These issues were discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members Peter Stöckli and Man Yue Mo.
I often voice my dislike of misguided AI use. This right here is actually good use of AI.
