CVE-2026-22560
Received Received - Intake
Open Redirect in Rocket.Chat SAML Endpoint Allows Arbitrary Redirects

Publication date: 2026-04-10

Last updated on: 2026-04-17

Assigner: HackerOne

Description
An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22560
EUVD
EUVD-2026-21500
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocket.chat rocket.chat to 8.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22560 is an open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 that affects the SAML Single Logout (SLO) redirect functionality.

The vulnerability allows attackers to manipulate the `redirect` query parameter in SAML SLO URLs to redirect users to arbitrary external URLs.

This happens because the function handling the redirect used the user-supplied `redirect` parameter without proper validation, enabling crafted URLs to redirect users to malicious sites.

Impact Analysis

This vulnerability can be exploited to redirect users to malicious external websites.

Such redirects can be used for phishing attacks or credential theft by tricking users into visiting attacker-controlled sites.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the Rocket.Chat SAML Single Logout (SLO) endpoint that include a redirect query parameter pointing to external or unexpected URLs.

  • Look for requests matching the pattern: /_saml/sloRedirect/<idp>/?redirect=<external_url>
  • Use network traffic inspection tools or web server logs to identify such requests.
  • Example command using grep on web server logs to find suspicious redirects: grep -i '_saml/sloRedirect' /var/log/nginx/access.log | grep 'redirect=http'
  • Use curl or similar tools to test the endpoint manually, for example: curl -I 'https://your-rocket-chat-domain/_saml/sloRedirect/saml-test/?redirect=https://malicious-site.com'
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Rocket.Chat to version 8.4.0 or later where the fix has been applied.

If upgrading is not immediately possible, restrict access to the SAML SLO redirect endpoint and monitor for suspicious redirect parameters.

Ensure that the configured Identity Provider (IdP) Single Logout Service (SLO) endpoint URL is correctly set and validated in your Rocket.Chat configuration.

Apply web application firewall (WAF) rules to block requests with redirect parameters pointing to external or untrusted domains.

Compliance Impact

The vulnerability in Rocket.Chat's SAML Single Logout redirect functionality allows attackers to redirect users to arbitrary external URLs, potentially enabling phishing or credential theft.

Such open redirect vulnerabilities can undermine the security and privacy protections required by common standards and regulations like GDPR and HIPAA, which mandate safeguarding user data and preventing unauthorized access or disclosure.

By enabling phishing attacks or credential theft, this vulnerability could lead to unauthorized access to personal or sensitive information, thereby impacting compliance with these regulations.

The fix enforces strict validation of redirect URLs to prevent unauthorized redirects, which helps maintain compliance by mitigating risks of data breaches and unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22560. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart