CVE-2026-4482
Insecure Permissions on Installer Certificates in Windows Exposes Agent Identity
Publication date: 2026-04-10
Last updated on: 2026-04-10
Assigner: Rapid7, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves installer certificate files located in the β¦/bootstrap/common/ssl folder on Windows systems that do not have restricted permissions. Specifically, users have read and execute access to these files.
The client.key file is particularly sensitive because it contains agent identity material. Since any locally authenticated standard user can read this file, it exposes critical identity information that could be exploited.
How can this vulnerability impact me? :
The vulnerability could allow any locally authenticated standard user on a Windows system to access sensitive certificate files, including the client.key file.
This exposure of agent identity material could lead to exploits, such as unauthorized use of the agent's identity or impersonation, potentially compromising system security.