CVE-2026-1568
📋 TL;DR
A signature verification vulnerability in Rapid7 InsightVM's Assertion Consumer Service allows attackers to bypass authentication and gain unauthorized access to user accounts. This affects all InsightVM installations using Security Console setup before version 8.34.0. Successful exploitation results in full account takeover.
💻 Affected Systems
- Rapid7 InsightVM
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all InsightVM accounts, allowing attackers to access sensitive vulnerability data, modify scan results, and potentially pivot to other systems.
Likely Case
Targeted account takeover of specific InsightVM users, leading to unauthorized access to vulnerability data and potential data exfiltration.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to the vulnerable endpoint.
🎯 Exploit Status
The vulnerability allows unauthenticated exploitation by sending specially crafted SAML assertions to the ACS endpoint without requiring valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.34.0
Vendor Advisory: https://docs.rapid7.com/insight/command-platform-release-notes/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download InsightVM version 8.34.0 or later from Rapid7 portal. 3. Stop InsightVM services. 4. Apply the update following Rapid7's upgrade documentation. 5. Restart services and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the ACS endpoint to only trusted identity providers
SAML Configuration Review
allReview and harden SAML configuration settings
🧯 If You Can't Patch
- Implement strict network segmentation to isolate InsightVM from untrusted networks
- Enable multi-factor authentication for all InsightVM accounts as additional protection layer
🔍 How to Verify
Check if Vulnerable:
Check InsightVM version via web interface or command line. If version is below 8.34.0 and using Security Console with SAML, the system is vulnerable.Check Version:
On Windows: Check InsightVM version in web interface. On Linux: Check installation directory version files or use 'rpm -qa | grep insightvm' or equivalent package manager command.Verify Fix Applied:
After upgrading to 8.34.0 or later, verify that SAML assertions are properly validated and session cookies are only issued for signed assertions.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login from unexpected sources
- SAML assertion processing errors
- Session creation without proper authentication logs
Network Indicators:
- Unusual traffic patterns to /acs endpoint
- SAML requests from unexpected IP addresses
- High volume of authentication requests
SIEM Query:
source="insightvm" AND (event_type="authentication" AND result="success") AND NOT (source_ip IN [trusted_ip_list])