{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4837", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "state": "PUBLISHED", "assignerShortName": "rapid7", "dateReserved": "2026-03-25T14:28:27.182Z", "datePublished": "2026-04-08T15:59:03.121Z", "dateUpdated": "2026-04-08T16:08:02.464Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2026-04-08T16:08:02.464Z"}, "title": "Eval Injection in Rapid7 Insight Agent", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-95", "description": "CWE-95 Improper neutralization of directives in dynamically evaluated code ('eval injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "affected": [{"vendor": "Rapid7", "product": "Insight Agent", "platforms": ["Linux"], "modules": ["ir_agent"], "versions": [{"status": "affected", "version": "0", "lessThan": "4.1.0.2", "changes": [{"at": "4.1.0.2", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform."}]}], "references": [{"url": "https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "John Rodriguez", "type": "reporter"}, {"lang": "en", "value": "Cyberdagger", "type": "sponsor"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform."}], "id": "CVE-2026-4837", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2026-04-08T17:21:24.603", "references": [{"source": "cve@rapid7.com", "url": "https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-95"}], "source": "cve@rapid7.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.1.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Insight Agent", "source": "cna", "vendor": "Rapid7"}, "product": "insight_agent", "vendor": "rapid7"}], "analysis": {"en": {"generated_at": "2026-04-08T17:50:30.079148+00:00", "value": {"mitigation_remediation": ["Check Rapid7\u2019s latest release notes for a patch or updated Insight Agent version and upgrade if available. If an update is unavailable, enforce strict access controls on the Rapid7 Platform to prevent unauthorized command injection. Monitor for abnormal beacon responses and consider disabling or sanitizing eval usage in any custom beacon handling logic."], "summary": {"action": "Assess Impact", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Linux installations of the Rapid7 Insight Agent are affected. Specific version information is not disclosed in the advisory, so all current releases may be susceptible until an update is applied.", "description_and_impact": "An injection flaw in the Rapid7 Insight Agent beaconing logic on Linux allows the eval() function to be executed with arbitrary payloads. This flaw could, in theory, enable an attacker to run code as root if a malicious beacon response is received. Because the agent authenticates commands with mutual TLS, the likelihood of exploitation without prior compromise of the backend platform is low, but the potential impact remains high if such an attack vector is realized.", "risk_and_exploitability": "The CVSS score of 6.6 indicates moderate to high severity. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited publicly known exploitation. Nevertheless, the combination of root privilege execution and a reliance on protected communication means that a compromised backend platform could lead to complete system takeover. The overall risk is considered moderate but should be evaluated against the organization\u2019s exposure to the Rapid7 platform."}}}}, "created": "2026-04-08T19:26:50.063440+00:00", "updated": "2026-04-08T19:39:07.991761+00:00", "vendors": ["rapid7", "rapid7$PRODUCT$insight_agent"]}