CVE-2026-22560 Overview
CVE-2026-22560 is an open redirect vulnerability in Rocket.Chat versions prior to 8.4.0. The flaw resides in a Security Assertion Markup Language (SAML) endpoint that fails to validate redirect destinations. Attackers can manipulate parameters within the SAML endpoint to redirect authenticated or unauthenticated users to arbitrary external URLs. The vulnerability maps to CWE-601: URL Redirection to Untrusted Site. Rocket.Chat addressed the issue in version 8.4.0.
Critical Impact
Attackers can craft malicious links that abuse the trusted Rocket.Chat domain to redirect victims to phishing or malware-hosting sites, undermining user trust in SAML-based authentication flows.
Affected Products
- Rocket.Chat versions prior to 8.4.0
- Self-hosted Rocket.Chat deployments using SAML authentication
- Rocket.Chat cloud instances running affected releases
Discovery Timeline
- 2026-04-10 - CVE-2026-22560 published to NVD
- 2026-04-17 - Last updated in NVD database
Technical Details for CVE-2026-22560
Vulnerability Analysis
The vulnerability is an open redirect in a Rocket.Chat SAML endpoint. Rocket.Chat is an open-source team collaboration platform with built-in SAML single sign-on (SSO) support. The SAML endpoint accepts a redirect parameter that controls where the user lands after the authentication flow completes. The endpoint fails to enforce an allowlist of permitted destinations or validate that the target URL belongs to the application origin. As a result, attackers can supply any external URL and have the server issue an HTTP redirect to it.
The attack does not compromise confidentiality or integrity of the Rocket.Chat instance directly. It primarily affects availability of trust in the platform domain, which adversaries weaponize for phishing campaigns and credential theft.
Root Cause
The root cause is missing destination validation in the SAML endpoint's redirect handling logic. The endpoint trusts user-supplied URL parameters and passes them to a redirect response without verifying scheme, host, or path. This pattern is the canonical form of [CWE-601] vulnerabilities.
Attack Vector
The attack is network-based and requires no authentication or user interaction beyond clicking a link. An attacker crafts a URL that points at the legitimate Rocket.Chat SAML endpoint and includes a manipulated redirect parameter referencing an attacker-controlled domain. When a victim clicks the link, Rocket.Chat issues a redirect to the malicious site. The malicious site can then mimic the Rocket.Chat login page and harvest credentials or deliver malware.
No public proof-of-concept exploit is listed in the NVD record. The technical fix is documented in the Rocket.Chat GitHub Pull Request #38994 and the HackerOne Security Report #3418031.
Detection Methods for CVE-2026-22560
Indicators of Compromise
- HTTP requests to Rocket.Chat SAML endpoints containing redirect parameters with external domains in the value
- Web server access logs showing 3xx responses from SAML routes pointing to non-Rocket.Chat hosts
- Unusual referrer chains where users arrive at external phishing pages from a trusted Rocket.Chat URL
Detection Strategies
- Inspect web proxy and reverse proxy logs for requests to SAML endpoints with URL-encoded redirect parameters pointing outside the corporate domain
- Deploy web application firewall (WAF) rules that flag SAML endpoint requests containing absolute URLs in redirect parameters
- Correlate user-reported phishing emails against outbound redirects originating from the Rocket.Chat host
Monitoring Recommendations
- Enable verbose logging on the Rocket.Chat SAML authentication module and forward logs to a centralized analytics platform
- Alert on spikes in 302 or 303 responses from SAML routes where the Location header references an external domain
- Track user-agent and source IP patterns hitting SAML endpoints to identify automated abuse
How to Mitigate CVE-2026-22560
Immediate Actions Required
- Upgrade Rocket.Chat to version 8.4.0 or later on all production and staging instances
- Audit recent SAML endpoint access logs for suspicious redirect parameter values
- Notify end users to verify the destination domain before submitting credentials following a Rocket.Chat link
Patch Information
Rocket.Chat fixed the open redirect in version 8.4.0. The remediation is implemented in GitHub Pull Request #38994, which adds validation to the SAML endpoint's redirect parameter handling. Administrators running affected versions should upgrade to 8.4.0 or newer as the primary remediation.
Workarounds
- Place a reverse proxy or WAF in front of Rocket.Chat that strips or validates redirect parameters on SAML routes
- Restrict access to the Rocket.Chat SAML endpoint to known identity provider IP ranges where feasible
- Disable SAML authentication temporarily if the feature is not in active use until the patch is applied
# Example NGINX rule to block external redirect targets on SAML endpoints
location ~ ^/_saml/ {
if ($arg_redirect ~* "^https?://(?!chat\.example\.com)") {
return 400;
}
proxy_pass http://rocketchat_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

