CVE-2026-1568
Unknown Unknown - Not Provided
Signature Verification Bypass in Rapid7 InsightVM Enables Account Takeover

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Rapid7, Inc.

Description
Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1568
EUVD
EUVD-2026-5244
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rapid7 insightvm to 8.34.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Rapid7 InsightVM versions before 8.34.0 is a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint.

This flaw allows an attacker to gain unauthorized access to InsightVM accounts that are set up via "Security Console" installations.

The root cause is that the application processes unsigned assertions and issues session cookies granting access to targeted user accounts, enabling full account takeover.

This issue has been fixed in version 8.34.0 of InsightVM.

Impact Analysis

This vulnerability can lead to a full account takeover of InsightVM user accounts.

An attacker exploiting this issue could gain unauthorized access to sensitive data and functionalities within the InsightVM platform.

Given the CVSS score of 9.6 (Critical), the impact includes high confidentiality and integrity loss, although availability is not affected.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rapid7 InsightVM to version 8.34.0 or later, where the signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1568. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart