CVE-2026-1568

Rapid7 InsightVM Signature Validation Vulnerability

Assigner: rapid7
Reserved: 28.01.2026 Published: 03.02.2026 Updated: 04.02.2026

Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 9.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Rapid7
Product	Vulnerability Management
Versions	Default: unaffected affected from 0 to 8.34.0 (excl.)

Vendor

Rapid7

Product

Vulnerability Management

Versions

Default: unaffected

affected from 0 to 8.34.0 (excl.)

Credits

Cory Rey, Schellman finder

References

Problem Types