Skip to main content

Microsoft CVE-2026-4482

| EUVDEUVD-2026-21303 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-04-10 rapid7 GHSA-3r4x-4pr5-j666
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
4.1.0.2
EUVD ID Assigned
Apr 10, 2026 - 04:45 euvd
EUVD-2026-21303
Analysis Generated
Apr 10, 2026 - 04:45 vuln.today
CVE Published
Apr 10, 2026 - 04:22 nvd
MEDIUM 6.8

DescriptionCVE.org

The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users have read and execute access). For the client.key file in particular, this could potentially lead to exploits, as this exposes agent identity material to any locally authenticated standard user.

AnalysisAI

Improperly restricted file permissions on Rapid7 Insight Agent installer certificate files on Windows systems allow locally authenticated standard users to read the agent's private key (client.key), enabling identity material disclosure and potential lateral movement or agent impersonation. CVSS 6.8 (CVSS:4.0 LOCAL/LOW complexity, PR:L) reflects local authentication requirement; CISA KEV status not confirmed. Rapid7 released patched version 4.1.0.2 addressing this permission misconfiguration.

Technical ContextAI

The vulnerability stems from weak file system permissions (CWE-732: Incorrect Permission Assignment for Critical Resource) applied to SSL certificate files stored in the …/bootstrap/common/ssl installation directory on Windows. The client.key file, which contains the agent's private cryptographic material used for authentication and identity assertion, is readable by any locally authenticated standard user due to default or overly permissive DACL (Discretionary Access Control List) settings. This violates the principle of least privilege and exposes sensitive keying material typically protected at administrator/SYSTEM level. Windows file ACLs should restrict read access to the client.key to the agent process owner and administrative accounts only.

RemediationAI

Upgrade Rapid7 Insight Agent to version 4.1.0.2 or later, which applies restrictive file permissions to certificate files in the …/bootstrap/common/ssl directory. After patching, verify that client.key and associated certificate files are readable only by SYSTEM and the agent process user account, not by standard users. For systems unable to patch immediately, implement Windows NTFS ACL restrictions manually: navigate to the installation …/bootstrap/common/ssl folder, right-click each certificate file (especially client.key), select Properties > Security > Edit, and remove or deny Read access for standard users and the Authenticated Users group. Consult Rapid7's April 2026 release notes (https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes) for additional post-patch validation guidance.

Share

CVE-2026-4482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy