CVE-2026-5329 Velociraptor improper input validation in client message handler

Published on 2026-04-08

CVSS · HIGH · 8.5 ⁄10 · CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H
Scoring scenario: GENERAL
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH

Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux).

This allows an authenticated remote attacker (i.e. a rogue client) to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name.

The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues.

This vulnerability may lead to remote code execution on the Velociraptor server.

Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.

Required configuration for exposure:

This vulnerability only affects the Velociraptor server, which is typically running on a Linux system

Problem:

CWE-1287: Improper Validation of Specified Type of Input CWE-1287

Impact:

CAPEC-253: Remote Code Inclusion CAPEC-23

Product Status:

Product Affected
Rapid7 Velociraptor on Linux
source repo
Default status is unaffected 		before 0.76.2
before 0.75.7

Credits:

We thank Chris Au from NyxLab for identifying and reporting this issue responsibly

Recommendation

This is a critical vulnerability, which can not be mitigated through configuration changes.

To remediate, you will need to upgrade your server to the latest version of your release:

  • For 0.76 releases, upgrade immediately to v0.76.2
  • For 0.75 releases, upgrade immediately to v0.75.7