Main Vulnerability Database Vulnerabilities #VU131422

Improper Verification of Cryptographic Signature in Rocket.Chat - #VU131422

Published: May 14, 2026

Vulnerability identifier: #VU131422

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-347

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Rocket.Chat Technologies Corp.

Affected software:
Rocket.Chat

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication and impersonate arbitrary users.

The vulnerability exists due to improper verification of cryptographic signature in the SAML signature verification routine when processing SAML responses with an empty configured IdP certificate field. A remote attacker can submit a crafted unsigned or attacker-supplied SAML assertion to bypass authentication and impersonate arbitrary users.

The issue is reachable when SAML is enabled and the IdP certificate field is left at its default empty value.

Remediation

Install security update from vendor's website.

Sources

https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-rgg7-qvp9-wvx7

Improper Verification of Cryptographic Signature in Rocket.Chat - #VU131422

Detailed vulnerability description

Remediation

Sources

Please verify you're human