CVE-2026-22560
Open Redirect in Rocket.Chat SAML Endpoint Allows Arbitrary Redirects
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rocket.chat | rocket.chat | to 8.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22560 is an open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 that affects the SAML Single Logout (SLO) redirect functionality.
The vulnerability allows attackers to manipulate the `redirect` query parameter in SAML SLO URLs to redirect users to arbitrary external URLs.
This happens because the function handling the redirect used the user-supplied `redirect` parameter without proper validation, enabling crafted URLs to redirect users to malicious sites.
How can this vulnerability impact me? :
This vulnerability can be exploited to redirect users to malicious external websites.
Such redirects can be used for phishing attacks or credential theft by tricking users into visiting attacker-controlled sites.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the Rocket.Chat SAML Single Logout (SLO) endpoint that include a redirect query parameter pointing to external or unexpected URLs.
- Look for requests matching the pattern: /_saml/sloRedirect/<idp>/?redirect=<external_url>
- Use network traffic inspection tools or web server logs to identify such requests.
- Example command using grep on web server logs to find suspicious redirects: grep -i '_saml/sloRedirect' /var/log/nginx/access.log | grep 'redirect=http'
- Use curl or similar tools to test the endpoint manually, for example: curl -I 'https://your-rocket-chat-domain/_saml/sloRedirect/saml-test/?redirect=https://malicious-site.com'
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Rocket.Chat to version 8.4.0 or later where the fix has been applied.
If upgrading is not immediately possible, restrict access to the SAML SLO redirect endpoint and monitor for suspicious redirect parameters.
Ensure that the configured Identity Provider (IdP) Single Logout Service (SLO) endpoint URL is correctly set and validated in your Rocket.Chat configuration.
Apply web application firewall (WAF) rules to block requests with redirect parameters pointing to external or untrusted domains.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Rocket.Chat's SAML Single Logout redirect functionality allows attackers to redirect users to arbitrary external URLs, potentially enabling phishing or credential theft.
Such open redirect vulnerabilities can undermine the security and privacy protections required by common standards and regulations like GDPR and HIPAA, which mandate safeguarding user data and preventing unauthorized access or disclosure.
By enabling phishing attacks or credential theft, this vulnerability could lead to unauthorized access to personal or sensitive information, thereby impacting compliance with these regulations.
The fix enforces strict validation of redirect URLs to prevent unauthorized redirects, which helps maintain compliance by mitigating risks of data breaches and unauthorized data exposure.