Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46423

CVE-2026-46423: Rocket.Chat SAML Auth Bypass Vulnerability

CVE-2026-46423 is an authentication bypass flaw in Rocket.Chat's SAML implementation that skips signature validation when no IdP certificate is configured. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-46423 Overview

CVE-2026-46423 is an authentication bypass vulnerability in Rocket.Chat's Security Assertion Markup Language (SAML) service provider implementation. The flaw allows attackers to forge SAML assertions when the Identity Provider (IdP) certificate field is left empty, which is the shipped default state. The verifySignatures routine performs an early return when serviceProviderOptions.cert is falsy, silently skipping both SAML Response and Assertion signature validation. An administrator who enables SAML without pasting an IdP certificate exposes a publicly reachable login endpoint that accepts unsigned or attacker-supplied assertions. The vulnerability is classified under [CWE-347] Improper Verification of Cryptographic Signature.

Critical Impact

Unauthenticated network attackers can impersonate arbitrary users, including administrators, by submitting forged SAML assertions to vulnerable Rocket.Chat instances.

Affected Products

  • Rocket.Chat versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, and 8.0.5
  • Rocket.Chat 7.x versions prior to 7.13.7
  • Rocket.Chat 7.x versions prior to 7.10.11

Discovery Timeline

  • 2026-06-24 - CVE-2026-46423 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-46423

Vulnerability Analysis

The vulnerability resides in Rocket.Chat's SAML authentication module. SAML relies on cryptographic signatures to bind assertions to a trusted Identity Provider. Rocket.Chat's verifySignatures routine is responsible for confirming that a SAML Response and its embedded Assertion were signed by the configured IdP.

The routine contains a guard that returns early when serviceProviderOptions.cert evaluates as falsy. An empty certificate field, which is the default configuration, satisfies this condition. As a result, the function exits without performing any signature validation and treats the assertion as authentic.

Provider registration logic only checks whether SAML is enabled. It does not validate that an IdP certificate has been supplied. An administrator who toggles SAML on without configuring the certificate field produces a fully wired login endpoint that accepts any SAML payload.

Root Cause

The root cause is a fail-open code path combined with insecure default configuration. The verification function chooses to skip validation when no certificate is configured, rather than rejecting assertions. The provider registration gate does not enforce the presence of a certificate as a precondition for enabling SAML.

Attack Vector

An unauthenticated attacker locates a Rocket.Chat SAML login endpoint exposed to the network. The attacker crafts a SAML Response containing an Assertion that names the target user, including administrator accounts. The attacker submits the unsigned or self-signed payload to the SAML Assertion Consumer Service URL. Because the certificate field is empty, signature validation is bypassed and Rocket.Chat issues an authenticated session for the impersonated user.

The vulnerability requires no privileges, no user interaction, and is exploitable over the network. Full technical context is available in the Rocket.Chat GitHub Security Advisory.

Detection Methods for CVE-2026-46423

Indicators of Compromise

  • Successful SAML logins where the corresponding Rocket.Chat SAML configuration has an empty IdP certificate field
  • Authentication events for administrator or privileged accounts originating from unexpected source IP addresses or unfamiliar user agents
  • New or modified administrator sessions immediately following requests to the SAML Assertion Consumer Service endpoint

Detection Strategies

  • Audit the Rocket.Chat administration console to identify SAML providers that are enabled with no configured IdP certificate
  • Review web server and reverse proxy logs for POST requests to the SAML callback path, correlating them with newly authenticated sessions
  • Compare SAML assertion issuers and signing certificates in application logs against the expected trusted IdP

Monitoring Recommendations

  • Enable verbose authentication logging on Rocket.Chat and forward events to a centralized log platform for correlation
  • Alert on first-time administrator logins, privilege role changes, and additions of new federated identity providers
  • Monitor outbound network connections from Rocket.Chat hosts for anomalous activity that may indicate post-authentication abuse

How to Mitigate CVE-2026-46423

Immediate Actions Required

  • Upgrade Rocket.Chat to a fixed release: 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11
  • Disable any SAML provider that does not have a valid IdP certificate configured until the upgrade is complete
  • Review administrator account activity for unauthorized logins and rotate credentials for any accounts that may have been impersonated

Patch Information

Rocket.Chat resolved this vulnerability in versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Detailed remediation guidance is documented in the Rocket.Chat GitHub Security Advisory GHSA-rgg7-qvp9-wvx7.

Workarounds

  • If immediate upgrade is not possible, disable the SAML authentication provider in the Rocket.Chat administration console
  • Where SAML must remain enabled, populate the IdP certificate field with the correct trusted certificate and verify successful signature validation in test logins
  • Restrict network exposure of the Rocket.Chat SAML endpoints to trusted networks via reverse proxy or firewall rules until patched

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.