Home

Description

An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint.

PUBLISHED Reserved 2026-01-07 | Published 2026-04-10 | Updated 2026-04-10 | Assigner hackerone

Problem types

CWE-601 Open Redirect

Product status

Default status
unaffected

8.4.0 (semver) before 8.4.0
affected

References

hackerone.com/reports/3418031

github.com/RocketChat/Rocket.Chat/pull/38994

cve.org (CVE-2026-22560)

nvd.nist.gov (CVE-2026-22560)

Download JSON