CVE-2026-1568

Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://docs.rapid7.com/insight/command-platform-release-notes/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Las versiones de Rapid7 InsightVM anteriores a la 8.34.0 contienen un problema de verificación de firma en el endpoint en la nube del Servicio de Consumidor de Aserciones (ACS) que podría permitir a un atacante obtener acceso no autorizado a cuentas de InsightVM configuradas a través de instalaciones de 'Security Console', lo que resulta en una toma de control total de la cuenta. El problema ocurre debido a que la aplicación procesa estas aserciones sin firmar y emite cookies de sesión que otorgaban acceso a las cuentas de usuario objetivo. Esto ha sido corregido en la versión 8.34.0 de InsightVM.

03 Feb 2026, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-03 17:15

Updated : 2026-04-15 00:35

NVD link : CVE-2026-1568

Mitre link : CVE-2026-1568

CVE.ORG link : CVE-2026-1568

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

CWE-347

Improper Verification of Cryptographic Signature

9.6 /10