Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implementation silently skips both SAML Response and Assertion signature validation when the configured IdP certificate field is empty. The verifySignatures routine performs an early return when serviceProviderOptions.cert is falsy, which is the default state of the setting. Because provider registration only gates on the SAML "enabled" toggle and not on the presence of a certificate, an administrator who enables SAML without pasting an IdP certificate obtains a fully wired, publicly reachable SAML login endpoint that accepts unsigned or attacker-supplied assertions. This is a default-configuration authentication-bypass class: the fail-open branch is reached with no misconfiguration beyond leaving a field at its shipped default. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Published: 2026-06-24
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Rocket.Chat’s SAML service provider implementation silently omits verification of both SAML Response and Assertion signatures whenever the IdP certificate field is left empty. The verification routine returns early when the certificate setting is falsy, which is the default configuration. Because only the SAML enabled toggle is checked during provider registration, an administrator who turns on SAML without supplying a certificate creates a publicly reachable login endpoint that accepts unsigned or attacker‑supplied assertions, effectively bypassing authentication. The flaw is classified as CWE‑347.

Affected Systems

The issue impacts all Rocket.Chat installations running versions earlier than 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11. These versions allow the SAML service provider to be enabled without an IdP certificate, exposing the vulnerability. The affected product is Rocket.Chat, an open‑source communications platform.

Risk and Exploitability

The CVSS base score is 9.3, indicating critical severity. EPSS data is not available. The flaw is exploitable in the default configuration; merely enabling SAML without configuring an IdP certificate is sufficient to create a publicly exposed endpoint that accepts unsigned assertions. Because the vulnerability requires no misconfiguration beyond the shipped defaults, the threat is substantial. The issue is not listed in the CISA KEV catalog, but its high CVSS score and ease of exploitation pose a significant risk to organizations relying on SAML authentication in Rocket.Chat.

Generated by OpenCVE AI on June 25, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Rocket.Chat patch, upgrading to version 8.5.0 or later (or to the corresponding patch level for earlier series).
  • If upgrading is not immediately possible, configure the IdP certificate field with a valid certificate so that SAML signature validation is enforced and the fail‑open path is not used.
  • As a temporary measure, disable SAML authentication in the Rocket.Chat administration console until the patch can be applied or the certificate is configured.

Generated by OpenCVE AI on June 25, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implementation silently skips both SAML Response and Assertion signature validation when the configured IdP certificate field is empty. The verifySignatures routine performs an early return when serviceProviderOptions.cert is falsy, which is the default state of the setting. Because provider registration only gates on the SAML "enabled" toggle and not on the presence of a certificate, an administrator who enables SAML without pasting an IdP certificate obtains a fully wired, publicly reachable SAML login endpoint that accepts unsigned or attacker-supplied assertions. This is a default-configuration authentication-bypass class: the fail-open branch is reached with no misconfiguration beyond leaving a field at its shipped default. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.
Title Rocket.Chat: SAML signature validation skipped when IdP certificate field is empty
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:58:57.909Z

Reserved: 2026-05-13T22:18:22.829Z

Link: CVE-2026-46423

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature