Skip to main content

Rocket.Chat EUVDEUVD-2026-39091

| CVE-2026-45677 HIGH
Missing Authorization (CWE-862)
2026-06-24 security-advisories@github.com
8.7
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, no auth and no interaction (PR:N/UI:N) to forge an unsigned logout; knowing an email NameID keeps AC:L; impact is session destruction only, so A:H with C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 22:03 EUVD
Analysis Generated
Jun 24, 2026 - 21:37 vuln.today
CVE Published
Jun 24, 2026 - 21:16 cve.org
HIGH 8.7

DescriptionCVE.org

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML integration does not verify the signature on inbound LogoutRequest messages. An unauthenticated remote attacker who knows a target user's SAML NameID - which major identity providers (Okta, Google Workspace, Microsoft Entra ID, JumpCloud) expose as the user's email address - can craft a valid-looking unsigned LogoutRequest and submit it to the SP logout endpoint. The server processes it as legitimate, immediately destroying the victim's session. Because the attack requires no authentication and no interaction from the victim, it can be repeated in a loop against individual users or scripted across many accounts, effectively rendering the Rocket.Chat instance unusable for SAML-authenticated users. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

AnalysisAI

Session-destruction denial of service in Rocket.Chat's SAML single logout allows an unauthenticated remote attacker to forcibly log out any SAML-authenticated user by submitting a forged, unsigned LogoutRequest to the SP logout endpoint. Because the integration never validates the SAML signature, an attacker who knows only a victim's NameID - typically their email address, as exposed by Okta, Google Workspace, Microsoft Entra ID, and JumpCloud - can repeatedly destroy sessions and script the attack across many accounts to render the instance unusable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate target user emails (SAML NameIDs)
Delivery
Craft unsigned SAML LogoutRequest
Exploit
Submit to Rocket.Chat SP logout endpoint
Execution
Server skips signature check, accepts message
Persist
Victim session destroyed
Impact
Loop/script across users for sustained DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Rocket.Chat instance is configured with SAML authentication and exposes a reachable SP single-logout (SLO) endpoint, and that the attacker knows the victim's SAML NameID - which, with Okta, Google Workspace, Microsoft Entra ID, and JumpCloud, is the user's email address (commonly public/enumerable). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with VA:H and VC:N/VI:N is internally consistent with the description: fully remote, low-complexity, no privileges, no user interaction, and impact limited to availability - there is no data disclosure or integrity compromise, only forced logout/session destruction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker harvests a target organization's user email addresses (the SAML NameIDs) from public sources or directory enumeration, then sends crafted, unsigned SAML LogoutRequest messages naming each user to Rocket.Chat's SLO endpoint. The server accepts each as legitimate and immediately terminates the victims' sessions; the attacker loops the requests to keep users perpetually logged out, producing a sustained denial of service. …
Remediation Vendor-released patch: upgrade to the fixed version on your release branch - 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11 - choosing the patched release closest to your current branch to minimize functional change. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Rocket.Chat instances in production and document current version numbers and release branches in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy