Platform
nodejs
Component
rocket-chat
Fixed in
8.4.0
CVE-2026-22560 describes an open redirect vulnerability affecting Rocket.Chat versions 1.0.0 through 8.4.0. This flaw allows attackers to redirect users to arbitrary URLs by exploiting parameters within the SAML endpoint, potentially leading to phishing or malicious site redirection. The vulnerability was published on 2026-04-10 and a fix is available in version 8.4.0.
An open redirect vulnerability presents a significant risk of phishing attacks and malicious redirection. An attacker could craft a legitimate-looking link containing a malicious URL, leveraging Rocket.Chat's SAML endpoint. When a user clicks this link, they are unknowingly redirected to the attacker's controlled website, potentially compromising their credentials or exposing them to malware. The blast radius extends to all users who interact with the Rocket.Chat SAML integration, particularly those who trust links shared within the platform. This vulnerability is similar to other open redirect flaws where the trust associated with a legitimate application is exploited to deliver malicious content.
CVE-2026-22560 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the open redirect nature of the vulnerability makes it likely that such exploits will emerge. The vulnerability was publicly disclosed on 2026-04-10.
Exploit Status
EPSS
0.04% (13% percentile)
The primary mitigation for CVE-2026-22560 is to upgrade Rocket.Chat to version 8.4.0 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing stricter input validation on the SAML endpoint to prevent malicious URL manipulation. Web Application Firewalls (WAFs) can be configured to block redirects to suspicious domains. Regularly review and audit SAML configurations to identify and address potential vulnerabilities. After upgrade, confirm by verifying that redirection attempts to arbitrary URLs are blocked.
Update Rocket.Chat to version 8.4.0 or higher to mitigate the open redirect vulnerability. This update corrects parameter manipulation in the SAML endpoint, preventing redirection to malicious websites.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22560 is an open redirect vulnerability in Rocket.Chat versions 1.0.0–8.4.0, allowing attackers to redirect users to malicious URLs via SAML endpoint manipulation.
If you are running Rocket.Chat versions 1.0.0 through 8.4.0 and utilize SAML integration, you are potentially affected by this vulnerability.
Upgrade Rocket.Chat to version 8.4.0 or later to resolve the open redirect vulnerability. Consider implementing stricter input validation as an interim measure.
While no active exploitation has been confirmed, the open redirect nature of the vulnerability suggests potential for exploitation.
Refer to the official Rocket.Chat security advisory for detailed information and updates regarding CVE-2026-22560.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.