HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46423Published Modified CNA GitHub_M

CVE-2026-46423: Rocket.Chat: SAML signature validation skipped when IdP certificate field is empty

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implementation silently skips both SAML Response and Assertion signature validation when the configured IdP certificate field is empty. The verifySignatures routine performs an early return when serviceProviderOptions.cert is falsy, which is the default state of the setting. Because provider registration only gates on the SAML "enabled" toggle and not on the presence of a certificate, an administrator who enables SAML without pasting an IdP certificate obtains a fully wired, publicly reachable SAML login endpoint that accepts unsigned or attacker-supplied assertions. This is a default-configuration authentication-bypass class: the fail-open branch is reached with no misconfiguration beyond leaving a field at its shipped default. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass in Rocket.Chat's SAML service provider implementation. The vulnerability is reachable over the network with no authentication required: when the IdP certificate field is left empty (its default state), the signature verification routine exits early and accepts any SAML assertion, including ones crafted by an attacker. Successful exploitation lets an attacker authenticate as any user, including administrators, without valid credentials. No fix versions have been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Rocket.Chat images in private registries and CI pipelines. Any image whose Rocket.Chat version falls within the affected range is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 9.3 Critical and surfaces it as highest priority in each customer's vulnerability queue. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the inbox configured for the relevant workload owner inside each customer org.

Available
Patch

Because no upstream fix versions have been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as a patched base is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The SAML login endpoint is publicly reachable over the network, so an attacker must be able to send HTTP requests to the Rocket.Chat instance.

  • AuthenticationNot required

    No credentials or prior session are needed; the attack targets the pre-authentication SAML login flow.

  • Victim interactionNot required

    The attacker submits a crafted SAML assertion directly to the endpoint with no action required from any legitimate user.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free: crafting a valid-looking unsigned SAML assertion requires no race condition, memory layout knowledge, or environmental prerequisite.

Blast Radius

  • Attacker authenticates as any arbitrary Rocket.Chat user, including workspace administrators, by supplying a self-crafted SAML assertion.
  • Full read access to all messages, direct messages, private channels, and file attachments stored in the workspace.
  • Full write access to workspace content, user account settings, and administrative configuration, including installed integrations and webhooks.
  • Service availability is partially degraded (low impact per CVSS VA:L), for example through disruptive administrative actions performed under the hijacked session.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists yet, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild the moment fix versions are published upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads, with no manual intervention needed. In the interim, compensating controls are worth applying now: network policy can restrict the Rocket.Chat SAML endpoint (/auth/saml) to known identity-provider source addresses only; if SAML is not actively in use, disabling the SAML toggle in Rocket.Chat administration eliminates the exposed endpoint entirely; and egress filtering can prevent the instance from being used as a pivot if an attacker does gain access. The severity here is Critical (9.3) because the bypass is reached through a default configuration state, making every SAML-enabled Rocket.Chat instance with an unpopulated IdP certificate field exploitable with no preconditions.

See how HarborGuard automates this
Affected packages
  • RocketChat / Rocket.Chat
    >= 8.5.0-rc.0, < 8.5.0 · >= 8.4.0-rc.0, < 8.4.1 · >= 8.3.0-rc.0, < 8.3.3 · >= 8.2.0-rc.0, < 8.2.3 · >= 8.1.0-rc.0, < 8.1.4 · >= 8.0.0-rc.0, < 8.0.5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References