CVE-2026-4837 MEDIUM

CVE-2026-4837: Eval Injection in Rapid7 Insight Agent

Vendor Rapid7
Product Insight Agent
Weakness CWE-95 · Eval injection
Published April 8, 2026
Last update April 13, 2026

CVSS base score

6.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
April 13, 2026 Record updated