Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML integration does not verify the signature on inbound LogoutRequest messages. An unauthenticated remote attacker who knows a target user's SAML NameID - which major identity providers (Okta, Google Workspace, Microsoft Entra ID, JumpCloud) expose as the user's email address - can craft a valid-looking unsigned LogoutRequest and submit it to the SP logout endpoint. The server processes it as legitimate, immediately destroying the victim's session. Because the attack requires no authentication and no interaction from the victim, it can be repeated in a loop against individual users or scripted across many accounts, effectively rendering the Rocket.Chat instance unusable for SAML-authenticated users. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Published: 2026-06-24
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Rocket.Chat’s SAML integration fails to check the signature of inbound LogoutRequest messages. An attacker who knows the target user’s SAML NameID—a value that most identity providers expose as the user’s email address—can create an unsigned LogoutRequest that looks legitimate and send it to Rocket.Chat’s logout endpoint. The server treats this request as valid and immediately ends the user’s session. Because the exploit requires no authentication or user interaction, an attacker can repeatedly send such requests, effectively performing a denial‑of‑service against SAML‑authenticated users.

Affected Systems

The affected product is RocketChat:Rocket.Chat. All releases prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 must be upgraded to versions that include the fix. The vulnerability has been patched in those releases, rendering them secure against this specific logout request forgery.

Risk and Exploitability

The CVSS score of 8.7 reflects a high likelihood of successful exploitation with severe impact. Because the attacker only needs to know a target user’s SAML NameID—frequently exposed as the user’s email address by major identity providers—a wide range of adversaries can craft and replay unsigned LogoutRequests. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, but the ease of exploitation and the potential to repeatedly deny service to many accounts indicate a significant operational risk.

Generated by OpenCVE AI on June 25, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to any version that includes the fix (8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11).
  • Ensure that the SAML integration is configured to require signature verification for LogoutRequest messages; if configuration options exist, enable this setting after upgrading.
  • If immediate upgrade is not feasible, temporarily restrict the SAML logout endpoint to reject unsigned LogoutRequest messages by applying firewall rules or id‑dependent access controls to limit traffic to the identity provider only.

Generated by OpenCVE AI on June 25, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML integration does not verify the signature on inbound LogoutRequest messages. An unauthenticated remote attacker who knows a target user's SAML NameID - which major identity providers (Okta, Google Workspace, Microsoft Entra ID, JumpCloud) expose as the user's email address - can craft a valid-looking unsigned LogoutRequest and submit it to the SP logout endpoint. The server processes it as legitimate, immediately destroying the victim's session. Because the attack requires no authentication and no interaction from the victim, it can be repeated in a loop against individual users or scripted across many accounts, effectively rendering the Rocket.Chat instance unusable for SAML-authenticated users. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Title Rocket.Chat: Lack of SAML Signature Check During Logout Could Lead To DoS
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:54:13.059Z

Reserved: 2026-05-12T21:59:25.666Z

Link: CVE-2026-45677

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses