Description
OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction.
Published: 2026-06-24
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OS Command Injection vulnerability in the Rapid7 InsightConnect RPM Plugin allows an authenticated attacker to execute arbitrary OS commands on a Linux host. The flaw arises because the plugin constructs shell commands using the repo, key, or name parameters without proper input sanitization, leading to a CWE‑78 type injection. If exploited, an attacker can gain full control of the underlying system, compromising confidentiality, integrity, and availability.

Affected Systems

Rapid7 InsightConnect RPM Plugin installed on Linux platforms. No specific version information is provided, but any instance that has the plugin enabled and permits authenticated access is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6 indicates a medium severity vulnerability. There is no EPSS data to estimate exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. An attacker must be authenticated to the InsightConnect platform and must know the vulnerable endpoint and parameter names. Though no public exploit is documented, the combination of authentication and command injection could allow a determined adversary to achieve remote code execution after discovery of the flaw.

Generated by OpenCVE AI on June 25, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RPM Plugin to the latest version containing the input‑validation fix, or disable the plugin entirely if an upgrade is not available.
  • Reinforce authentication controls so that only trusted administrators can access the plugin’s API endpoints that accept repo, key, or name parameters.
  • Restrict the execution of shell commands on the host by configuring the operating system (for example, using AppArmor or SELinux) to limit the plugin’s process to non‑privileged, read‑only paths.

Generated by OpenCVE AI on June 25, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction.
Title OS Command Injection in Rapid7 InsightConnect RPM Plugin
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published:

Updated: 2026-06-24T23:56:50.706Z

Reserved: 2026-05-15T06:29:07.070Z

Link: CVE-2026-8663

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T02:30:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')