CVE-2026-5329

HIGH 8.5

Rapid7 Velociraptor Improper Input Validation in Client Message Handler

CVSS Score

8.5

EPSS Score

0.2%

EPSS Percentile

45th

Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.

CWE	CWE-20
Vendor	rapid7
Product	velociraptor
Published	Apr 9, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for rapid7 velociraptor

Be the first to know when new high vulnerabilities affecting rapid7 velociraptor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Rapid7 / Velociraptor

0 ≤ 0.76.3 0 ≤ 0.75.6 0 ≤ 0.74.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.velociraptor.app: https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/

Credits

🔍 We thank Chris Au (@netero_1010) from NyxLab for identifying and reporting this issue.