Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform.
AnalysisAI
Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability resides in the Insight Agent's beacon response handling mechanism on Linux, specifically in code that uses the eval() function to process responses from the Rapid7 Platform. CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, or 'Code Injection') indicates that untrusted data from beacon responses is passed directly into eval() without proper sanitization or validation. The agent implements mutual TLS (mTLS) authentication to communicate with the backend platform, which serves as a mitigating control-legitimate beacon responses must originate from authenticated Rapid7 Platform infrastructure. However, if an attacker gains high-privilege access to the backend platform or can perform a man-in-the-middle attack against the mTLS channel, they can craft a malicious beacon response containing code payloads that will be executed with root privileges by the eval() function.
RemediationAI
Vendor-released patch: Upgrade Rapid7 Insight Agent to version 4.1.0.2 or later. Organizations should prioritize this update for all Linux systems running versions prior to 4.1.0.2. Rapid7 has published release notes and upgrade guidance at https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes. Until patching is completed, monitor beacon traffic for unusual responses and ensure mTLS certificates are current and restricted to authorized Rapid7 Platform infrastructure. No workaround disables the vulnerability; patching is the primary remediation path.
More in Insight Agent
View allRapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker
Rapid7 Insight Agent, version 2.6.3 and prior, suffers from a local privilege escalation due to an uncontrolled DLL sear
Rapid7 Insight Agent, versions 3.0.1 to 3.1.2.34, suffer from a local privilege escalation due to an uncontrolled DLL se
Rapid7 Insight Agent token handler versions 3.2.6 and below, suffer from a Directory Traversal vulnerability whereby uns
Same weakness CWE-95 – Eval Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20505
GHSA-5gqp-c836-45cr