Description
Path Traversal vulnerability in the create_archive function of Rapid7 InsightConnect Compression Plugin on Linux allows authenticated attackers to write to unintended file paths via crafted filename input. The impact is limited to file corruption as content cannot be controlled by the attacker.
Published: 2026-06-25
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The create_archive function of Rapid7 InsightConnect’s Compression Plugin accepts a filename parameter that is used directly when writing output files. Because the function does not sanitize or validate the supplied path, an attacker can supply a crafted filename that includes directory traversal components and cause the plugin to write to arbitrary locations relative to its working directory. This flaw is a classic file‑system traversal (CWE‑22). The attacker cannot choose the file contents, so the primary harm is corruption or unintended overwrite of existing files rather than injection of malicious payloads.

Affected Systems

This vulnerability affects the Rapid7 InsightConnect Compression Plugin when running on Linux operating systems. No specific version ranges are listed, so any installation of the plugin on Linux is potentially vulnerable until a patch is applied.

Risk and Exploitability

With a CVSS score of 3.3 the issue is considered low severity. No EPSS data is available and it is not present in the CISA KEV catalog. Exploitation requires an authenticated user capable of invoking create_archive within InsightConnect, which typically means insider or compromised credentials. The impact is limited to file corruption or accidental overwrites, with negligible risk of escalation to remote code execution or system compromise.

Generated by OpenCVE AI on June 25, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Rapid7 InsightConnect to the latest release that removes the unvalidated filename handling in the Compression Plugin.
  • Restrict write permissions on the plugin’s working directory so only privileged processes can perform archive creation.
  • If a patch is unavailable, disable the Compression Plugin or block the create_archive function via configuration or access controls.

Generated by OpenCVE AI on June 25, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in the create_archive function of Rapid7 InsightConnect Compression Plugin on Linux allows authenticated attackers to write to unintended file paths via crafted filename input. The impact is limited to file corruption as content cannot be controlled by the attacker.
Title Path Traversal in Rapid7 InsightConnect Compression Plugin
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published:

Updated: 2026-06-25T01:51:33.568Z

Reserved: 2026-05-15T06:29:05.299Z

Link: CVE-2026-8662

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T03:30:17Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')