CVE-2026-45677 Overview
CVE-2026-45677 affects Rocket.Chat, an open-source communications platform. The vulnerability resides in the Security Assertion Markup Language (SAML) integration, which fails to verify signatures on inbound LogoutRequest messages. An unauthenticated remote attacker who knows a target user's SAML NameID can submit a crafted unsigned LogoutRequest to the Service Provider (SP) logout endpoint. The server processes the request as legitimate and immediately destroys the victim's session. Major identity providers including Okta, Google Workspace, Microsoft Entra ID, and JumpCloud expose the NameID as the user's email address, lowering the bar for exploitation. The flaw is categorized under [CWE-862] Missing Authorization.
Critical Impact
Attackers can repeatedly terminate SAML-authenticated user sessions without authentication or user interaction, rendering the Rocket.Chat instance unusable for affected users.
Affected Products
- Rocket.Chat versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, and 8.0.5
- Rocket.Chat versions prior to 7.13.7
- Rocket.Chat versions prior to 7.10.11
Discovery Timeline
- 2026-06-24 - CVE-2026-45677 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-45677
Vulnerability Analysis
The vulnerability stems from a missing authorization check in Rocket.Chat's SAML Single Logout (SLO) handler. SAML specifications require Service Providers to validate the cryptographic signature of LogoutRequest messages received from an Identity Provider (IdP). Rocket.Chat's SP logout endpoint accepts and processes these messages without performing signature validation.
An attacker who learns a victim's NameID can forge a syntactically valid logout request and submit it to the endpoint. The server treats the unsigned request as authoritative and tears down the victim's authenticated session. The attack requires no credentials, no prior session, and no victim interaction.
The impact is a targeted denial of service against SAML-authenticated accounts. An attacker can script the request and replay it in a loop, preventing victims from maintaining usable sessions. When executed across many users, the workflow effectively disables the platform for SAML-authenticated users.
Root Cause
The root cause is the absence of XML digital signature validation on the inbound LogoutRequest message at the SP logout endpoint. The implementation accepts the asserted NameID value without cryptographically binding it to the trusted IdP, which violates the SAML profile requirements and corresponds to [CWE-862] Missing Authorization.
Attack Vector
The attack is delivered over the network against the Rocket.Chat SP logout endpoint. The attacker constructs a SAML LogoutRequest XML document containing the victim's NameID, omits or supplies a non-validated signature, and HTTP POSTs the message to the logout URL. Because identity providers commonly expose NameID as the user's email address, enumeration of targets is straightforward. The vulnerability manifests as an unsigned request reaching session-destruction logic. See the GitHub Security Advisory for protocol-level details.
Detection Methods for CVE-2026-45677
Indicators of Compromise
- High-frequency LogoutRequest submissions to the Rocket.Chat SAML SP logout endpoint from a single source or distributed sources.
- Unsigned or improperly signed LogoutRequest XML payloads received at the SP endpoint.
- Repeated session termination events for the same SAML-authenticated user without a matching IdP-initiated logout entry.
- User complaints of being repeatedly logged out despite no manual action.
Detection Strategies
- Parse Rocket.Chat application logs for SAML logout events and correlate them with IdP logout audit trails to identify mismatches.
- Inspect HTTP request bodies destined for the SAML logout endpoint for the presence and validity of the <ds:Signature> element.
- Baseline normal logout request volume per user per hour, and alert on statistical deviations.
Monitoring Recommendations
- Forward Rocket.Chat application and reverse-proxy logs to a centralized SIEM for correlation with IdP authentication telemetry.
- Monitor the SP logout endpoint specifically for anonymous POST requests with SAML payloads.
- Track session-termination rates per user account as a leading indicator of targeted abuse.
How to Mitigate CVE-2026-45677
Immediate Actions Required
- Upgrade Rocket.Chat to a fixed release: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11.
- Inventory all Rocket.Chat instances exposed to the network and prioritize those using SAML authentication.
- Review recent application logs for evidence of forged LogoutRequest traffic prior to patching.
Patch Information
Rocket.Chat addressed the vulnerability by enforcing signature verification on inbound SAML LogoutRequest messages. The fix is available in versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Refer to the Rocket.Chat GitHub Security Advisory GHSA-pw6f-q8ww-vqfq for upgrade guidance.
Workarounds
- Restrict access to the SAML SP logout endpoint at the reverse proxy or web application firewall (WAF) layer to known IdP source ranges where feasible.
- Apply rate limiting to the logout endpoint per source IP and per NameID to slow scripted abuse.
- Temporarily disable SAML Single Logout if upgrading is not immediately possible and operational policy permits.
- Rotate or mask NameID values where the IdP supports non-email identifiers to reduce target enumeration.
# Example WAF rule (pseudocode) to block unsigned SAML LogoutRequests
# Inspect POST bodies to the SAML logout endpoint and require a Signature element
SecRule REQUEST_URI "@beginsWith /_saml/logout" \
"chain,deny,status:403,id:1004501,msg:'Unsigned SAML LogoutRequest blocked'"
SecRule REQUEST_BODY "@rx <samlp:LogoutRequest" \
"chain"
SecRule REQUEST_BODY "!@rx <ds:Signature" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

