What is the CVSS score of CVE-2026-5329?

CVE-2026-5329 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Rapid7 Velociraptor are affected by CVE-2026-5329?

Rapid7 Velociraptor server versions prior to 0.76.2 contain a remote code execution vulnerability that allows authenticated clients to inject malicious messages into privileged internal queues,…. A patch is available.

How to fix or mitigate CVE-2026-5329?

Within 24 hours: Inventory all Rapid7 Velociraptor server deployments and identify running versions. Within 7 days: Upgrade all Velociraptor servers to version 0.76.2 or later; prioritize production incident response and forensic analysis systems first. Coordinate with teams managing Velociraptor endpoints to ensure client compatibility post-upgrade. Within 30 days: Audit authentication logs for suspicious client activity (queue injection attempts, unusual message patterns) and review client credential governance to identify and revoke any compromised or unnecessary authenticated access.

Rapid7 Velociraptor CVE-2026-5329

EUVD-2026-21002 HIGH

Improper Input Validation (CWE-20)

2026-04-09 rapid7

GHSA-3wq5-x8p8-2v3p

RCE Velociraptor

8.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

SUSE

HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 28, 2026 - 00:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 28, 2026 - 00:22 vuln.today

cvss_changed

EUVD ID Assigned

Apr 09, 2026 - 18:15 euvd

EUVD-2026-21002

Analysis Generated

Apr 09, 2026 - 18:15 vuln.today

CVE Published

Apr 09, 2026 - 17:52 nvd

HIGH 8.5

DescriptionCVE.org

Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.

AnalysisAI

Remote code execution in Rapid7 Velociraptor server (primarily Linux) allows authenticated clients to write malicious messages to privileged internal queues via improper queue name validation. Affected versions prior to 0.76.2 (including 0.75.6, 0.74.6, and 0.76.1) are vulnerable to queue injection attacks from rogue authenticated clients. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain valid Velociraptor client credentials

Delivery

Establish authenticated client connection to server

Exploit

Craft monitoring message with malicious queue name

Execution

Inject payload into privileged internal queue

Persist

Server processes queue message

Impact

Execute arbitrary code as Velociraptor server

Access

Obtain valid Velociraptor client credentials

Delivery

Establish authenticated client connection to server

Exploit

Craft monitoring message with malicious queue name

Execution

Inject payload into privileged internal queue

Persist

Server processes queue message

Impact

Execute arbitrary code as Velociraptor server

Vulnerability AssessmentAI

Exploitation	Requires authenticated Velociraptor client access-attacker must possess valid client credentials or control over an enrolled endpoint with established client certificate. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 8.5 (High) score reflects significant theoretical impact (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) with network attack vector, high attack complexity, low privilege requirement, and scope change indicating container/trust boundary escape. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has compromised a Velociraptor client endpoint (or obtained valid client credentials through credential theft, insider threat, or lateral movement) connects to the Velociraptor server and sends a crafted client monitoring message. Instead of using legitimate queue names for monitoring data submission, the attacker specifies a malicious queue name targeting an internal privileged queue used for server administrative functions or VQL artifact deployment. …
Remediation	Upgrade immediately to Rapid7 Velociraptor version 0.76.2 or later, which implements proper queue name validation in the client monitoring message handler. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Rapid7 Velociraptor server deployments and identify running versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
SUSE Linux Enterprise Server 16.1	Fixed
SUSE Linux Enterprise Server for SAP applications 16.1	Fixed

CVE-2026-5329 vulnerability details – vuln.today

Back

Rapid7 Velociraptor CVE-2026-5329

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code