CVE-2026-4837
Eval() Injection in Rapid7 Insight Agent for Linux Enables Root RCE
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Rapid7, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rapid7 | insight_agent | * |
| rapid7 | insight_agent | 4.1.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4837 is a vulnerability in the Rapid7 Insight Agent for Linux that involves the use of the Python eval() function within the agent's beaconing logic. This flaw could theoretically allow an attacker to execute arbitrary code remotely with root privileges by sending a specially crafted beacon response.
However, exploitation is unlikely because the agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, which restricts unauthorized remote access. The vulnerability was fixed in Rapid7 Agent version 4.1.0.2 by removing the use of eval(), thereby eliminating this potential attack vector.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to achieve remote code execution with root privileges on a system running the vulnerable Rapid7 Insight Agent. This means the attacker could potentially take full control of the affected system, leading to unauthorized access, data theft, system manipulation, or disruption of services.
However, due to the use of mutual TLS (mTLS) for command verification, remote exploitation without prior highly privileged access to the backend platform is unlikely.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the version of the Rapid7 Insight Agent installed on your Linux systems. The vulnerability was fixed in version 4.1.0.2 by removing the use of the eval() function in the beaconing logic.
You can check the installed version of the Rapid7 Insight Agent by running a command such as:
- rapid7-insight-agent --version
If the version is older than 4.1.0.2, your system may be vulnerable. Additionally, monitoring network traffic for unusual beacon responses or unexpected command executions could help detect exploitation attempts, although exploitation is unlikely without privileged access.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Rapid7 Insight Agent to version 4.1.0.2 or later, where the vulnerability has been fixed by removing the use of the eval() function.
Additionally, ensure that mutual TLS (mTLS) is properly configured and enforced, as it helps prevent unauthorized commands from being accepted by the agent.
Restrict access to the Rapid7 Agent files and processes to authorized users only, and monitor for any suspicious activity related to the agent.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-4837 affects compliance with common standards and regulations such as GDPR or HIPAA.