CVE-2026-1568 | THREATINT

Description

Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.

PUBLISHED Reserved 2026-01-28 | Published 2026-02-03 | Updated 2026-02-04 | Assigner rapid7

CRITICAL: 9.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Problem types

CWE-347 Improper Verification of Cryptographic Signature

CWE-287 Improper Authentication

Product status

Default status

unaffected

Any version before 8.34.0

affected

Credits

Cory Rey, Schellman finder

References

docs.rapid7.com/insight/command-platform-release-notes/

cve.org (CVE-2026-1568)

nvd.nist.gov (CVE-2026-1568)

Download JSON