CVE-2026-4837

MEDIUM 6.6

Eval Injection in Rapid7 Insight Agent

CVSS Score

6.6

EPSS Score

0.2%

EPSS Percentile

46th

An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform.

CWE	CWE-95
Vendor	rapid7
Product	insight agent
Published	Apr 8, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for rapid7 insight agent

Be the first to know when new medium vulnerabilities affecting rapid7 insight agent are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Rapid7 / Insight Agent

0 < 4.1.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.rapid7.com: https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes

Credits

🔍 John Rodriguez Cyberdagger