CVE-2026-6482

UNKNOWN 0.0

Local Privilege Escalation via OpenSSL configuration file in Insight Agent

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s SYSTEM level access.

CWE	CWE-829
Vendor	rapid7
Product	insight agent
Published	Apr 17, 2026
Last Updated	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for rapid7 insight agent

Be the first to know when new unknown vulnerabilities affecting rapid7 insight agent are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Rapid7 / Insight Agent

0 < 4.1.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.rapid7.com: https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes

Credits

Dell Security Assurance Team