Skip to main content

Insight Agent CVE-2026-4837

| EUVDEUVD-2026-20505 MEDIUM
Eval Injection (CWE-95)
2026-04-08 rapid7 GHSA-5gqp-c836-45cr
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
4.1.0.2
EUVD ID Assigned
Apr 08, 2026 - 16:31 euvd
EUVD-2026-20505
Analysis Generated
Apr 08, 2026 - 16:31 vuln.today
CVE Published
Apr 08, 2026 - 15:59 nvd
MEDIUM 6.6

DescriptionCVE.org

An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform.

AnalysisAI

Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Insight Agent's beacon response handling mechanism on Linux, specifically in code that uses the eval() function to process responses from the Rapid7 Platform. CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, or 'Code Injection') indicates that untrusted data from beacon responses is passed directly into eval() without proper sanitization or validation. The agent implements mutual TLS (mTLS) authentication to communicate with the backend platform, which serves as a mitigating control-legitimate beacon responses must originate from authenticated Rapid7 Platform infrastructure. However, if an attacker gains high-privilege access to the backend platform or can perform a man-in-the-middle attack against the mTLS channel, they can craft a malicious beacon response containing code payloads that will be executed with root privileges by the eval() function.

RemediationAI

Vendor-released patch: Upgrade Rapid7 Insight Agent to version 4.1.0.2 or later. Organizations should prioritize this update for all Linux systems running versions prior to 4.1.0.2. Rapid7 has published release notes and upgrade guidance at https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes. Until patching is completed, monitor beacon traffic for unusual responses and ensure mTLS certificates are current and restricted to authorized Rapid7 Platform infrastructure. No workaround disables the vulnerability; patching is the primary remediation path.

Share

CVE-2026-4837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy