Primary

Context

Rapid7 InsightVM Signature Verification Vulnerability in Assertion Consumer Service Endpoint Allowing Account Takeover

Vulnerability

Patched

A signature verification vulnerability has been identified in Rapid7 InsightVM versions prior to 8.34.0. The issue resides in the Assertion Consumer Service (ACS) cloud endpoint, where the application processes unsigned assertions. This flaw could enable an attacker to gain unauthorized access to InsightVM accounts linked to 'Security Console' installations, potentially leading to a full account takeover. The vulnerability allows the issuance of session cookies that grant access to the targeted user accounts.

Impact

Exploitation of this vulnerability could result in unauthorized access to InsightVM accounts and full account takeover.

Remediation

Users can upgrade to Rapid7 InsightVM version 8.34.0 or later to address this vulnerability.

Added: Feb 3, 2026, 5:39 PM

Updated: Feb 3, 2026, 5:39 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

5.0

exploitability

6.6

remediation

7.7

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

5.0

exploitability

6.6

remediation

7.7

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Rapid7 InsightVM Signature Verification Vulnerability in Assertion Consumer Service Endpoint Allowing Account Takeover

Vulnerability

Impact

Remediation

Affected Products

Rapid7 InsightVM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating