Back to search

RocketChat

Rocket.Chat

Open-source team chat and collaboration platform.

8.2 Switch to this train 8.3 Switch to this train 8.1 Switch to this train 8.0 Switch to this train 7.13 Switch to this train 7.12 Switch to this train 7.11 Current train 7.10 Switch to this train 7.9 EOL Switch to this train 7.8 EOL Switch to this train
Current version
Last checked: yesterday

7.11.7

Release date
April 13, 2026
CVE status
2 visible CVEs

Source

GitHub API

Public release notes are linked for the latest stored release.

View release notes Subscribe to updates

Release history

See the latest published releases stored for this product.

Version Published Notes
7.11.7 2026-04-13 Release Notes
7.11.6 2026-03-16 Release Notes

Vulnerability tracking

Review curated CVEs for this product and see whether the current version is marked affected. Only CVEs with a CVSS score of 7.0 or higher and published in the last 90 days are shown.

CVE Severity Published Status Summary
CVE-2026-30831 CRITICAL (9.8) 2026-03-06 Current versionnot affected

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.

Affected versions
  • Up to (excluding) 7.10.8
  • From (including) 7.11.0 - Up to (excluding) 7.11.5
Show 4 more
  • From (including) 7.12.0 - Up to (excluding) 7.12.5
  • From (including) 7.13.0 - Up to (excluding) 7.13.4
  • From (including) 8.0.0 - Up to (excluding) 8.0.2
  • From (including) 8.1.0 - Up to (excluding) 8.1.1
CVE-2026-28514 CRITICAL (9.8) 2026-03-06 Current versionnot affected

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.

Affected versions
  • Up to (excluding) 7.8.6
  • From (including) 7.9.0 - Up to (excluding) 7.9.8
Show 4 more
  • From (including) 7.10.0 - Up to (excluding) 7.10.7
  • From (including) 7.11.0 - Up to (excluding) 7.11.4
  • From (including) 7.12.0 - Up to (excluding) 7.12.4
  • From (including) 7.13.0 - Up to (excluding) 7.13.3