CVE-2026-1568
Published: 03 February 2026
Summary
CVE-2026-1568 is a critical-severity Improper Authentication (CWE-287) vulnerability in Rapid7 InsightVM (inferred from references). Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-2 requires enforcement of robust identification and authentication mechanisms that verify cryptographic signatures on SAML assertions to prevent processing unsigned assertions and unauthorized account access.
SI-7 mandates software, firmware, and information integrity verification mechanisms, such as cryptographic signature validation on authentication assertions, to block unsigned or tampered data from granting session access.
SI-2 ensures timely identification, reporting, and correction of flaws like the signature verification bypass, enabling patching to InsightVM 8.34.0 to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Signature verification bypass in exposed ACS endpoint directly enables remote exploitation of a public-facing application for auth bypass and account takeover.
NVD Description
Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover.…
more
The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.
Deeper analysisAI
Rapid7 InsightVM versions prior to 8.34.0 are affected by CVE-2026-1568, a signature verification vulnerability in the Assertion Consumer Service (ACS) cloud endpoint. The flaw stems from the application processing unsigned assertions, which leads to the issuance of session cookies granting access to targeted user accounts configured via "Security Console" installations. This issue is rated at a CVSS v3.1 score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-287 (Improper Authentication) and CWE-347 (Improper Verification of Cryptographic Signature).
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. By submitting unsigned assertions to the ACS endpoint, the attacker bypasses authentication, achieving full account takeover of InsightVM accounts. This grants complete access to the compromised user's session and associated resources.
Rapid7 has addressed the vulnerability in InsightVM version 8.34.0. Security practitioners should upgrade to this version or later, as detailed in the release notes at https://docs.rapid7.com/insight/command-platform-release-notes/. No additional mitigations are specified in available advisories.
Details
- CWE(s)