CVE-2026-22560: Rocket.Chat Open Redirect Vulnerability

CVE-2026-22560 Overview

An open redirect vulnerability exists in Rocket.Chat versions prior to 8.4.0 that allows attackers to redirect users to arbitrary URLs by manipulating parameters within a SAML endpoint. This vulnerability (CWE-601: URL Redirection to Untrusted Site) can be exploited to facilitate phishing attacks, credential theft, or malware distribution by tricking users into visiting malicious websites while believing they are interacting with a trusted Rocket.Chat instance.

Critical Impact

Attackers can leverage this open redirect vulnerability to conduct sophisticated phishing campaigns, potentially compromising user credentials and sensitive organizational data through social engineering attacks.

Affected Products

• Rocket.Chat versions prior to 8.4.0

Discovery Timeline

• 2026-04-10 - CVE CVE-2026-22560 published to NVD
• 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-22560

Vulnerability Analysis

This open redirect vulnerability resides in Rocket.Chat's SAML (Security Assertion Markup Language) authentication endpoint. The application fails to properly validate redirect URLs passed through SAML authentication parameters, allowing attackers to craft malicious links that redirect users to attacker-controlled domains after interaction with the vulnerable endpoint.

Open redirect vulnerabilities are particularly dangerous in authentication flows because users inherently trust login and SSO processes. When a user clicks a link that appears to originate from their organization's Rocket.Chat server, they expect to remain within trusted infrastructure. The lack of proper URL validation in the SAML endpoint breaks this trust model.

Root Cause

The root cause of this vulnerability is insufficient input validation on URL parameters within the SAML authentication endpoint. The application does not adequately verify that redirect destinations belong to trusted or expected domains before performing the redirection. This allows attackers to inject arbitrary external URLs that the application will redirect users to without warning.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction beyond clicking a crafted link. An attacker can construct a malicious URL containing the vulnerable Rocket.Chat SAML endpoint with a redirect parameter pointing to an attacker-controlled site.

The exploitation flow typically involves:

1. The attacker identifies a Rocket.Chat instance running a vulnerable version (prior to 8.4.0)
2. The attacker crafts a malicious URL that leverages the SAML endpoint's redirect parameter
3. The attacker distributes this link via email, messaging, or other channels, often disguised as a legitimate Rocket.Chat login link
4. When a victim clicks the link, they are redirected through the trusted Rocket.Chat domain to the attacker's malicious site
5. The attacker can then present a fake login page to harvest credentials or serve malware

For technical implementation details, refer to the HackerOne Report #3418031 and the GitHub Pull Request containing the fix.

Detection Methods for CVE-2026-22560

Indicators of Compromise

• Unusual redirect patterns in web server logs involving SAML endpoints with external URLs
• User reports of unexpected redirects after clicking Rocket.Chat links
• Authentication logs showing SAML requests with suspicious redirect parameters pointing to external domains
• Phishing reports involving links that appear to originate from organizational Rocket.Chat instances

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block requests containing external URLs in SAML redirect parameters
• Monitor authentication logs for SAML endpoint access with redirect parameters containing non-whitelisted domains
• Deploy URL inspection at the network perimeter to identify outbound redirects from Rocket.Chat to suspicious destinations
• Utilize endpoint detection and response (EDR) solutions to identify browser redirects through Rocket.Chat to known malicious domains

Monitoring Recommendations

• Enable detailed logging for all SAML authentication endpoints and review logs regularly for anomalous redirect patterns
• Set up alerts for SAML endpoint access with redirect parameters pointing to domains outside the organization's trusted domain list
• Implement security information and event management (SIEM) rules to correlate Rocket.Chat access patterns with subsequent visits to suspicious external sites

How to Mitigate CVE-2026-22560

Immediate Actions Required

• Upgrade Rocket.Chat to version 8.4.0 or later immediately
• Review authentication logs for any evidence of exploitation attempts
• Notify users about the vulnerability and advise caution with Rocket.Chat links until patching is complete
• Consider temporarily restricting access to SAML endpoints if immediate patching is not possible

Patch Information

The vulnerability has been addressed in Rocket.Chat version 8.4.0. The fix implements proper validation of redirect URLs within the SAML endpoint to ensure only trusted destinations are allowed. Technical details of the patch can be reviewed in the GitHub Pull Request #38994.

Organizations should upgrade to version 8.4.0 or later to remediate this vulnerability. The upgrade process should follow standard change management procedures with testing in a non-production environment first.

Workarounds

• Implement a reverse proxy or WAF rule to validate and restrict redirect parameters on SAML endpoints to a whitelist of trusted domains
• Disable SAML authentication temporarily if not required for business operations until patching can be completed
• Use network-level controls to restrict Rocket.Chat SAML endpoint access to trusted IP ranges only
• Educate users to verify URLs before clicking and report suspicious Rocket.Chat links

Organizations using SentinelOne can leverage the platform's URL inspection and behavioral analysis capabilities to detect and prevent exploitation attempts targeting this vulnerability.