{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-6482","assignerOrgId":"9974b330-7714-4307-a722-5648477acda7","state":"PUBLISHED","assignerShortName":"rapid7","dateReserved":"2026-04-17T04:25:38.616Z","datePublished":"2026-04-17T05:19:20.485Z","dateUpdated":"2026-04-18T03:55:55.477Z"},"containers":{"cna":{"providerMetadata":{"orgId":"9974b330-7714-4307-a722-5648477acda7","shortName":"rapid7","dateUpdated":"2026-04-17T05:22:25.106Z"},"title":"Local Privilege Escalation via OpenSSL configuration file in Insight Agent","datePublic":"2026-04-09T14:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-829","description":"CWE-829 Inclusion of functionality from untrusted control sphere","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Escalation"}]}],"affected":[{"vendor":"Rapid7","product":"Insight Agent","platforms":["Windows"],"versions":[{"status":"affected","version":"0","lessThan":"4.1.0.2","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s SYSTEM level access.","supportingMedia":[{"type":"text/html","base64":false,"value":"The Rapid7 Insight Agent (versions &gt; 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain <b>SYSTEM</b>&nbsp;level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted <code>openssl.cnf</code> file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s <b>SYSTEM</b> level access."}]}],"references":[{"url":"https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subAvailabilityImpact":"LOW","exploitMaturity":"PROOF_OF_CONCEPT","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"HIGH","baseScore":8.5,"vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P"}}],"credits":[{"lang":"en","value":"Dell Security Assurance Team","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.1"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-17T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-6482"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-18T03:55:55.477Z"}}]}}