Skip to main content

OpenSSL EUVDEUVD-2026-23376

| CVE-2026-6482 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-04-17 rapid7 GHSA-6rgm-mxx7-qxmc
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 28, 2026 - 18:14 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Patch available
Apr 17, 2026 - 07:01 EUVD
Analysis Generated
Apr 17, 2026 - 06:27 vuln.today
CVSS changed
Apr 17, 2026 - 06:22 NVD
8.5 (HIGH)
EUVD ID Assigned
Apr 17, 2026 - 06:15 euvd
EUVD-2026-23376
Analysis Generated
Apr 17, 2026 - 06:15 vuln.today
CVE Published
Apr 17, 2026 - 05:19 nvd
HIGH 8.5

DescriptionCVE.org

The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s SYSTEM level access.

AnalysisAI

Local privilege escalation in Rapid7 Insight Agent (versions > 4.1.0.2) on Windows allows unprivileged users to execute arbitrary code as SYSTEM via OpenSSL configuration file planting. The agent service loads openssl.cnf from a non-existent directory writable by standard users, enabling full host compromise without authentication. CVSS 8.5 with proof-of-concept exploit code available (E:P). EPSS data not provided; not currently listed in CISA KEV.

Technical ContextAI

This vulnerability exploits a classic DLL search order hijacking pattern applied to configuration files. The Rapid7 Insight Agent service runs with SYSTEM privileges and uses OpenSSL libraries. On startup, the service attempts to load an OpenSSL configuration file (openssl.cnf) from a directory path that does not exist by default but falls within user-writable filesystem locations (likely C:\Users\[username]\ or similar paths where standard users have write permissions). OpenSSL allows configuration files to specify custom cryptographic engines and initialization commands. By creating the missing directory structure and planting a malicious openssl.cnf containing engine loading directives or command execution hooks, an attacker can force the high-privilege service to execute arbitrary code during its initialization phase. This is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) because the privileged process trusts configuration data from an attacker-controlled location. The affected component is specifically the Rapid7 Insight Agent for Windows, which provides endpoint visibility and management for Rapid7's cloud platform.

RemediationAI

Upgrade Rapid7 Insight Agent to version 4.1.0.2 or earlier if possible, or apply the patched version released in April 2026 per the vendor advisory at https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes. The exact fixed version number is not specified in available data but should be confirmed from the release notes. As an interim workaround until patching is complete, restrict local user access to systems running the agent to trusted administrators only, though this may not be operationally feasible in many environments. Organizations can also implement filesystem access controls to deny standard users write permissions to the specific directory path where the agent attempts to load openssl.cnf (exact path should be obtained from Rapid7 support), though this may cause compatibility issues if the agent expects that path to be accessible. Monitor for suspicious openssl.cnf file creation in user-writable directories using EDR or file integrity monitoring tools as a detective control, though prevention through patching is strongly preferred.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Share

EUVD-2026-23376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy