{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6482", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "state": "PUBLISHED", "assignerShortName": "rapid7", "dateReserved": "2026-04-17T04:25:38.616Z", "datePublished": "2026-04-17T05:19:20.485Z", "dateUpdated": "2026-04-17T12:16:15.294Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2026-04-17T05:22:25.106Z"}, "title": "Local Privilege Escalation via OpenSSL configuration file in Insight Agent", "datePublic": "2026-04-09T14:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-829", "description": "CWE-829 Inclusion of functionality from untrusted control sphere", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "affected": [{"vendor": "Rapid7", "product": "Insight Agent", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "0", "lessThan": "4.1.0.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM\u00a0level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent\u2019s SYSTEM level access.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The Rapid7 Insight Agent (versions &gt; 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain <b>SYSTEM</b>&nbsp;level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted <code>openssl.cnf</code> file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent\u2019s <b>SYSTEM</b> level access."}]}], "references": [{"url": "https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P"}}], "credits": [{"lang": "en", "value": "Dell Security Assurance Team", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T12:16:08.355156Z", "id": "CVE-2026-6482", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T12:16:15.294Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM\u00a0level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent\u2019s SYSTEM level access."}], "id": "CVE-2026-6482", "lastModified": "2026-04-17T06:16:30.593", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2026-04-17T06:16:30.593", "references": [{"source": "cve@rapid7.com", "url": "https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "cve@rapid7.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.1.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Insight Agent", "source": "cna", "vendor": "Rapid7"}, "product": "insight_agent", "vendor": "rapid7"}], "analysis": {"en": {"generated_at": "2026-04-17T07:51:28.954569+00:00", "value": {"mitigation_remediation": ["Install the latest Rapid7 Insight Agent update that includes the fix for CVE-2026-6482.", "Revoke write permissions on the directory used for OpenSSL configuration files so that only the SYSTEM account can write to it.", "Delete any existing openssl.cnf files in that directory to prevent accidental execution of malicious commands."], "summary": {"action": "Apply Patch", "impact": "Local privilege escalation to SYSTEM level"}, "threat_synthesis": {"affected_systems": "The issue affects Rapid7 Insight Agent versions newer than 4.1.0.2 running on Windows hosts. Any installation of the agent in that range is vulnerable if the problematic directory remains writable by standard users.", "description_and_impact": "The vulnerability allows a local user to craft an openssl.cnf file in a writable but non\u2011existent directory, causing the Insight Agent service, which runs as SYSTEM, to load the file and execute arbitrary commands. This results in full host compromise with SYSTEM\u2011level privileges. The flaw is a CWE\u2011829 issue where operations are improperly restricted within an extension component.", "risk_and_exploitability": "With a CVSS score of 8.5 the flaw is assessed as high severity. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is local; an attacker only needs a standard user account and must be able to write to the specified directory. The exploit condition is that the agent attempts to load a configuration file from a path that does not exist but is writable, allowing the planted file to be interpreted and executed by the SYSTEM\u2011level service. Once executed, the attacker can run arbitrary commands and fully control the host."}}}}, "created": "2026-04-17T08:00:11.082964+00:00", "updated": "2026-04-17T08:30:13.632696+00:00", "vendors": ["rapid7", "rapid7$PRODUCT$insight_agent"]}