Is Velociraptor affected by CVE-2026-5329?

Rapid7 Velociraptor self-hosted deployments (versions before 0.76.2) are vulnerable to authenticated remote code execution through malicious client monitoring messages, allowing attackers with valid credentials to execute arbitrary code on Linux servers.

CVE-2026-5329

Q: How to fix CVE-2026-5329?

Within 24 hours: Identify all self-hosted Velociraptor instances (Rapid7 Hosted is unaffected) and document versions via administrative console or API queries; restrict client enrollment and authentication to trusted networks only via firewall/network segmentation. Within 7 days: Monitor vendor advisory channel (https://velociraptor.velocidex.com) for patch release targeting 0.76.2 or later; prepare upgrade procedure and test in non-production environment. Within 30 days: Deploy patched version 0.76.2 or later to all self-hosted instances; validate client-server connections post-upgrade and review authentication logs for unauthorized access attempts.

EUVD-2026-21002 HIGH

2026-04-09 rapid7

GHSA-3wq5-x8p8-2v3p

8.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 09, 2026 - 18:15 vuln.today

EUVD ID Assigned

Apr 09, 2026 - 18:15 euvd

EUVD-2026-21002

CVE Published

Apr 09, 2026 - 17:52 nvd

HIGH 8.5

Description

Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.

Analysis

Remote code execution in Rapid7 Velociraptor server (versions <0.76.2, primarily Linux) allows authenticated attackers to write arbitrary messages to privileged internal queues via crafted client monitoring messages with malicious queue names. Improper input validation in the server's client monitoring message handler fails to sanitize queue names supplied by rogue clients, enabling queue injection attacks that escalate to RCE. …

Remediation

Within 24 hours: Identify all self-hosted Velociraptor instances (Rapid7 Hosted is unaffected) and document versions via administrative console or API queries; restrict client enrollment and authentication to trusted networks only via firewall/network segmentation. Within 7 days: Monitor vendor advisory channel (https://velociraptor.velocidex.com) for patch release targeting 0.76.2 or later; prepare upgrade procedure and test in non-production environment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +42

POC: 0

CVE-2026-5329 vulnerability details – vuln.today

Back

CVE-2026-5329

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-5329

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code