External risk intelligence

Rocket.Chat SAML Authentication Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-46423

Rocket.Chat is a communication platform designed to be publicly accessible. This vulnerability affects the SAML authentication endpoint, which is exposed by default when the feature is enabled. Because the platform is intended for external connectivity and the vulnerability exists in a default-configured authentication path, it is highly likely to be internet-facing and reachable.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Rocket.Chat's security features could allow unauthorized access to user accounts if SAML authentication is enabled without proper configuration. This affects the platform's ability to securely verify user identities, potentially impacting the confidentiality of communications. The main concern is confirming relevance and exposure.

  • Authentication bypass in communication platform.
  • Protects against unauthorized access to communications.
  • Verify SAML configuration for security.

Attack Path

How an attacker could exploit the issue

An attacker could leverage a misconfiguration in the SAML settings to bypass authentication. By enabling SAML without providing an Identity Provider certificate, the system allows unsigned or forged SAML assertions, granting unauthorized access to the platform.

  • Enabled SAML without IdP certificate.
  • Forged SAML assertions are accepted.
  • Unauthorized access to the platform.

Live Threat

Current exploitation, exposure, and threat context

When the SAML service provider implementation in Rocket.Chat is configured without an Identity Provider certificate, it may bypass signature validation for SAML Responses and Assertions. This could allow an attacker to impersonate users when the SAML authentication feature is enabled, as the system would accept unsigned or attacker-supplied assertions.

  • User authentication credentials could be compromised.
  • Unsigned assertions may be accepted by the system.
  • Unauthorized access to user accounts.

Operational Fix

Recommended remediation, mitigation, and detection steps

For Rocket.Chat instances, the platform or infrastructure teams are typically responsible for managing the communication service and its authentication configurations. The first practical step is to identify all deployed Rocket.Chat instances, determine their exposure, and confirm which ones are business-critical to prioritize remediation.

  • Platform teams own this vulnerability.
  • Verify SAML configuration and IdP certificate presence.
  • Plan and execute version upgrades.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Rocket.Chat?

Rocket.Chat is an open-source, fully customizable communications platform designed for real-time collaboration. Organizations use it to host private chat services, manage internal and external messaging, and facilitate team workflows, often requiring secure authentication to ensure only authorized users access sensitive communications.

What does CVE-2026-46423 mean for security?

This vulnerability is an authentication bypass identified by the weakness class Improper Verification of Cryptographic Signature (CWE-347). It occurs when the software fails to verify digital signatures on login data. In this case, the system ignores security checks if a specific certificate field is left empty, allowing the application to accept forged or unsigned authentication requests.

How can an attacker trigger this vulnerability?

An attacker can exploit this if SAML is enabled but the administrator has not configured an Identity Provider certificate. The system defaults to skipping signature validation, meaning it will trust any authentication assertion provided. Simply having SAML enabled without a certificate is the trigger; if a certificate is correctly configured and present, the validation routine functions as intended.

Is my server at risk according to Halo Surface Signal?

Halo Surface Signal indicates a high risk because Rocket.Chat is designed for external connectivity. Since this authentication bypass affects the SAML endpoint, which is often internet-facing to support remote users, any instance with SAML enabled but lacking a configured certificate is likely reachable and exposed to potential unauthorized access.

How do I secure my Rocket.Chat instance?

First, verify your SAML configuration settings to see if an Identity Provider certificate is currently absent. If it is missing, prioritize adding the certificate immediately or disabling the SAML feature until you can do so. Afterward, plan an update to one of the patched versions—such as 8.5.0, 8.4.1, or 8.3.3—to ensure the underlying verification routine is permanently corrected.

References