CVE-2026-8795
Received Received - Intake
YAML Injection in Rapid7 Velociraptor

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Rapid7, Inc.

Description
A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-8795
EUVD
EUVD-2026-35289
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rapid7 velociraptor to 0.76.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8795 is a YAML injection vulnerability in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6.

The vulnerability occurs because the hostname field in client_info.json inside a collection ZIP is inserted into a YAML template using Go's text/template without proper escaping.

An attacker can craft a collection ZIP with a hostname containing literal double quotes and newlines to break out of the YAML quoted string and inject a new mount remapping entry.

This injected entry can contain arbitrary Velociraptor Query Language (VQL) code that executes on the analyst's machine with NullACLManager privileges, granting all permissions and bypassing sandboxing.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary VQL code on an analyst's machine with full permissions and without sandbox restrictions.

Such execution can compromise the confidentiality, integrity, and availability of the analyst's system.

The attack requires local access, low complexity, no privileges, but user interaction (applying the remapping file with the --remap flag).

It specifically affects users who use remapping to operate on offline collections, which is a niche use case.

Detection Guidance

This vulnerability occurs when a crafted collection ZIP file contains a malicious hostname field in client_info.json that is inserted into a YAML template without proper escaping. Detection involves inspecting collection ZIP files for suspicious or malformed hostname entries that include literal double quotes and newlines, which could indicate an attempt to inject YAML content.

Since the vulnerability is specific to the Windows.Collectors.Remapping artifact generating remapping files, you can check for unusual or unexpected remapping files generated with the --remap flag.

No specific detection commands are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade the Rapid7 Velociraptor server to version 0.76.6 or later.

Alternatively, users can copy the latest Windows.Collectors.Remapping artifact from the latest release into their configuration file to prevent exploitation.

Avoid applying remapping files generated from untrusted or offline collection ZIP files using the --remap flag until the update is applied.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary code with full permissions on an analyst's machine, which can lead to unauthorized access, modification, or destruction of sensitive data.

Such unauthorized access and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls to protect confidentiality, integrity, and availability of sensitive information.

However, this vulnerability only affects users who use the remapping feature on offline collections, which is a niche use case.

Mitigation by upgrading to version 0.76.6 or later is recommended to reduce the risk and maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8795. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart