Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users have read and execute access). For the client.key file in particular, this could potentially lead to exploits, as this exposes agent identity material to any locally authenticated standard user.
AnalysisAI
Improperly restricted file permissions on Rapid7 Insight Agent installer certificate files on Windows systems allow locally authenticated standard users to read the agent's private key (client.key), enabling identity material disclosure and potential lateral movement or agent impersonation. CVSS 6.8 (CVSS:4.0 LOCAL/LOW complexity, PR:L) reflects local authentication requirement; CISA KEV status not confirmed. Rapid7 released patched version 4.1.0.2 addressing this permission misconfiguration.
Technical ContextAI
The vulnerability stems from weak file system permissions (CWE-732: Incorrect Permission Assignment for Critical Resource) applied to SSL certificate files stored in the …/bootstrap/common/ssl installation directory on Windows. The client.key file, which contains the agent's private cryptographic material used for authentication and identity assertion, is readable by any locally authenticated standard user due to default or overly permissive DACL (Discretionary Access Control List) settings. This violates the principle of least privilege and exposes sensitive keying material typically protected at administrator/SYSTEM level. Windows file ACLs should restrict read access to the client.key to the agent process owner and administrative accounts only.
RemediationAI
Upgrade Rapid7 Insight Agent to version 4.1.0.2 or later, which applies restrictive file permissions to certificate files in the …/bootstrap/common/ssl directory. After patching, verify that client.key and associated certificate files are readable only by SYSTEM and the agent process user account, not by standard users. For systems unable to patch immediately, implement Windows NTFS ACL restrictions manually: navigate to the installation …/bootstrap/common/ssl folder, right-click each certificate file (especially client.key), select Properties > Security > Edit, and remove or deny Read access for standard users and the Authenticated Users group. Consult Rapid7's April 2026 release notes (https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes) for additional post-patch validation guidance.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21303
GHSA-3r4x-4pr5-j666