Rocket.Chat: Lack of SAML Signature Check During Logout Could Lead...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML integration does not verify the signature on inbound LogoutRequest messages. An unauthenticated remote attacker who knows a target user's SAML NameID - which major identity providers (Okta, Google Workspace, Microsoft Entra ID, JumpCloud) expose as the user's email address - can craft a valid-looking unsigned LogoutRequest and submit it to the SP logout endpoint. The server processes it as legitimate, immediately destroying the victim's session. Because the attack requires no authentication and no interaction from the victim, it can be repeated in a loop against individual users or scripted across many accounts, effectively rendering the Rocket.Chat instance unusable for SAML-authenticated users. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.

AI Analysis

Lack of SAML signature check during logout could lead to Denial of Service (DoS)

Basic Information

ID CVE-2026-45677

Source GitHub_M

Published Jun 24, 2026 at 20:54

Affected Product

Vendor RocketChat

Product Rocket.Chat

Version >= 8.5.0-rc.0, < 8.5.0

Affected Versions RocketChat Rocket.Chat >= 8.5.0-rc.0, < 8.5.0
RocketChat Rocket.Chat >= 8.4.0-rc.0, < 8.4.1
RocketChat Rocket.Chat >= 8.3.0-rc.0, < 8.3.3
RocketChat Rocket.Chat >= 8.2.0-rc.0, < 8.2.3
RocketChat Rocket.Chat >= 8.1.0-rc.0, < 8.1.4
RocketChat Rocket.Chat >= 8.0.0-rc.0, < 8.0.5
RocketChat Rocket.Chat >= 7.11.0-rc.0, < 7.13.7
RocketChat Rocket.Chat < 7.10.11

CWE Classification

CWE-862

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor RocketChat

Product Rocket.Chat

Version < 8.5.0, < 8.4.1, < 8.3.3, < 8.2.3, < 8.1.4, < 8.0.5, < 7.13.7, < 7.10.11

References

github.com /RocketChat/Rocket.Chat/security/advisories/GHSA-pw6f-q8ww-vqfq

{
    "lastseen": "",
    "description": "Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML integration does not verify the signature on inbound LogoutRequest messages. An unauthenticated remote attacker who knows a target user's SAML NameID - which major identity providers (Okta, Google Workspace, Microsoft Entra ID, JumpCloud) expose as the user's email address - can craft a valid-looking unsigned LogoutRequest and submit it to the SP logout endpoint. The server processes it as legitimate, immediately destroying the victim's session. Because the attack requires no authentication and no interaction from the victim, it can be repeated in a loop against individual users or scripted across many accounts, effectively rendering the Rocket.Chat instance unusable for SAML-authenticated users. This vulnerability is fixed in 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11.",
    "published": "2026-06-24T20:54:13.059Z",
    "modified": "2026-06-24T20:54:13.059Z",
    "type": "cve",
    "title": "Rocket.Chat: Lack of SAML Signature Check During Logout Could Lead To DoS",
    "source": "GitHub_M",
    "references": "https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-pw6f-q8ww-vqfq",
    "id": "CVE-2026-45677",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "RocketChat Rocket.Chat >= 8.5.0-rc.0, < 8.5.0\nRocketChat Rocket.Chat >= 8.4.0-rc.0, < 8.4.1\nRocketChat Rocket.Chat >= 8.3.0-rc.0, < 8.3.3\nRocketChat Rocket.Chat >= 8.2.0-rc.0, < 8.2.3\nRocketChat Rocket.Chat >= 8.1.0-rc.0, < 8.1.4\nRocketChat Rocket.Chat >= 8.0.0-rc.0, < 8.0.5\nRocketChat Rocket.Chat >= 7.11.0-rc.0, < 7.13.7\nRocketChat Rocket.Chat < 7.10.11",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Rocket.Chat",
    "version": ">= 8.5.0-rc.0, < 8.5.0",
    "vendor": "RocketChat",
    "ai_description": "Lack of SAML signature check during logout could lead to Denial of Service (DoS)",
    "ai_severity": "High",
    "ai_vendor": "RocketChat",
    "ai_product": "Rocket.Chat",
    "ai_version": "< 8.5.0, < 8.4.1, < 8.3.3, < 8.2.3, < 8.1.4, < 8.0.5, < 7.13.7, < 7.10.11",
    "ai_score": 8.7
}

Rocket.Chat: Lack of SAML Signature Check During Logout Could Lead To DoS_CVE-2026-45677