CVE-2026-1568
Signature Verification Bypass in Rapid7 InsightVM Enables Account Takeover

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Rapid7, Inc.

Description
Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Affected Vendors & Products
Vendor Product Version
rapid7 insightvm to 8.34.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in Rapid7 InsightVM versions before 8.34.0 is a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint.

This flaw allows an attacker to gain unauthorized access to InsightVM accounts that are set up via "Security Console" installations.

The root cause is that the application processes unsigned assertions and issues session cookies granting access to targeted user accounts, enabling full account takeover.

This issue has been fixed in version 8.34.0 of InsightVM.


How can this vulnerability impact me? :

This vulnerability can lead to a full account takeover of InsightVM user accounts.

An attacker exploiting this issue could gain unauthorized access to sensitive data and functionalities within the InsightVM platform.

Given the CVSS score of 9.6 (Critical), the impact includes high confidentiality and integrity loss, although availability is not affected.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Rapid7 InsightVM to version 8.34.0 or later, where the signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart
Meta Information
CVE Publication Date:
2026-02-03
CVE Last Modified Date:
2026-02-03
Report Generation Date:
2026-02-10
AI Powered Q&A Generation:
2026-02-04
EPSS Last Evaluated Date:
2026-02-09
NVD Report Link: