CVE-2026-46423
Received Received - Intake
Authentication Bypass in Rocket.Chat via SAML Signature Validation

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implementation silently skips both SAML Response and Assertion signature validation when the configured IdP certificate field is empty. The verifySignatures routine performs an early return when serviceProviderOptions.cert is falsy, which is the default state of the setting. Because provider registration only gates on the SAML "enabled" toggle and not on the presence of a certificate, an administrator who enables SAML without pasting an IdP certificate obtains a fully wired, publicly reachable SAML login endpoint that accepts unsigned or attacker-supplied assertions. This is a default-configuration authentication-bypass class: the fail-open branch is reached with no misconfiguration beyond leaving a field at its shipped default. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-46423
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocket_chat rocket_chat to 8.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Rocket.Chat's SAML service provider implementation prior to versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. When the Identity Provider (IdP) certificate field is left empty (which is the default), the system silently skips validation of both the SAML Response and Assertion signatures.

Because the verification routine returns early if no certificate is provided, an administrator enabling SAML without supplying an IdP certificate creates a publicly accessible SAML login endpoint that accepts unsigned or attacker-supplied assertions. This results in an authentication bypass vulnerability that occurs even without any misconfiguration beyond leaving the certificate field empty.

Impact Analysis

This vulnerability can allow attackers to bypass authentication on Rocket.Chat instances that have SAML enabled but no IdP certificate configured. Because unsigned or maliciously crafted SAML assertions are accepted, unauthorized users could gain access to the system without valid credentials.

Such unauthorized access could lead to data exposure, unauthorized actions within the platform, and compromise of the communication environment.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Identity Provider (IdP) certificate field in the Rocket.Chat SAML service provider configuration is not left empty.

Specifically, do not enable SAML authentication without pasting a valid IdP certificate into the configuration.

Alternatively, upgrade Rocket.Chat to one of the fixed versions: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11.

Compliance Impact

This vulnerability allows an authentication bypass in Rocket.Chat's SAML service provider implementation when the IdP certificate field is left empty. This means unauthorized users could potentially gain access without proper authentication.

Such unauthorized access could lead to exposure or compromise of sensitive communications and data, which may violate data protection requirements under regulations like GDPR and HIPAA that mandate strict access controls and authentication mechanisms.

Therefore, this vulnerability negatively impacts compliance with common standards and regulations by undermining the security controls required to protect personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46423. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart