CVE-2026-46423: CWE-347: Improper Verification of Cryptographic Signature in RocketChat Rocket.Chat
Rocket.Chat versions prior to 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0 contain a vulnerability in their SAML service provider implementation. When the IdP certificate field is left empty, the system skips verification of SAML Response and Assertion signatures, allowing authentication bypass via unsigned or attacker-supplied assertions. This occurs by default if an administrator enables SAML without configuring the IdP certificate. The issue is fixed in the listed versions.
AI Analysis
Technical Summary
CVE-2026-46423 is an improper verification of cryptographic signature vulnerability (CWE-347) in Rocket.Chat's SAML service provider implementation. Prior to versions 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0, the verifySignatures routine returns early without validating signatures if the IdP certificate field is empty (which is the default). This results in a fail-open authentication bypass where unsigned or attacker-supplied SAML assertions are accepted, exposing the system to unauthorized access. The vulnerability is triggered by enabling SAML without providing an IdP certificate, which is a default configuration state. The issue is resolved in the specified fixed versions.
Potential Impact
This vulnerability allows an attacker to bypass authentication by submitting unsigned or attacker-controlled SAML assertions to the Rocket.Chat SAML login endpoint. Because signature verification is skipped when the IdP certificate is not configured, an attacker can gain unauthorized access without valid credentials. The vulnerability affects default configurations where the IdP certificate field is left empty. The CVSS 4.0 score is 9.3 (critical), indicating a high-impact remote, unauthenticated attack with high confidentiality and integrity impact.
Mitigation Recommendations
A fix is available in Rocket.Chat versions 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0. Users should upgrade to one of these versions or later to remediate this vulnerability. Until upgraded, administrators must ensure that the IdP certificate field is properly configured and not left empty when enabling SAML to avoid the authentication bypass. Patch status is confirmed by the vendor advisory stating the vulnerability is fixed in these versions.
CVE-2026-46423: CWE-347: Improper Verification of Cryptographic Signature in RocketChat Rocket.Chat
Description
Rocket.Chat versions prior to 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0 contain a vulnerability in their SAML service provider implementation. When the IdP certificate field is left empty, the system skips verification of SAML Response and Assertion signatures, allowing authentication bypass via unsigned or attacker-supplied assertions. This occurs by default if an administrator enables SAML without configuring the IdP certificate. The issue is fixed in the listed versions.
CVSS v4.0
Score 9.3critical
Affected software
pkg:github/rocketchat/Rocket.ChatRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46423 is an improper verification of cryptographic signature vulnerability (CWE-347) in Rocket.Chat's SAML service provider implementation. Prior to versions 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0, the verifySignatures routine returns early without validating signatures if the IdP certificate field is empty (which is the default). This results in a fail-open authentication bypass where unsigned or attacker-supplied SAML assertions are accepted, exposing the system to unauthorized access. The vulnerability is triggered by enabling SAML without providing an IdP certificate, which is a default configuration state. The issue is resolved in the specified fixed versions.
Potential Impact
This vulnerability allows an attacker to bypass authentication by submitting unsigned or attacker-controlled SAML assertions to the Rocket.Chat SAML login endpoint. Because signature verification is skipped when the IdP certificate is not configured, an attacker can gain unauthorized access without valid credentials. The vulnerability affects default configurations where the IdP certificate field is left empty. The CVSS 4.0 score is 9.3 (critical), indicating a high-impact remote, unauthenticated attack with high confidentiality and integrity impact.
Mitigation Recommendations
A fix is available in Rocket.Chat versions 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0. Users should upgrade to one of these versions or later to remediate this vulnerability. Until upgraded, administrators must ensure that the IdP certificate field is properly configured and not left empty when enabling SAML to avoid the authentication bypass. Patch status is confirmed by the vendor advisory stating the vulnerability is fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T22:18:22.829Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3c4ce24853345fc1df8d63
Added to database: 06/24/2026, 21:32:18 UTC
Last enriched: 06/24/2026, 21:45:59 UTC
Last updated: 06/24/2026, 22:38:10 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.