CVE-2026-5329 HIGH

CVE-2026-5329: Rapid7 Velociraptor Improper Input Validation in Client Message Handler

Vendor Rapid7
Product Velociraptor
Weakness CWE-20 · Input validation
Published April 9, 2026
Last update April 16, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 16, 2026 Record updated