CVE-2026-5329
Published: 09 April 2026
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2026-5329 is an improper input validation vulnerability (CWE-20) in the client monitoring message handler on the Velociraptor server, primarily affecting Linux deployments. It impacts Rapid7 Velociraptor versions prior to 0.76.2, where the server does not sufficiently validate queue names supplied by clients in monitoring messages. This allows an authenticated remote attacker to write arbitrary messages to privileged internal server queues, potentially leading to remote code execution. The vulnerability has a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). Rapid7 Hosted Velociraptor instances are not affected.
An authenticated remote attacker with low privileges, acting as a rogue client, can exploit this by crafting a monitoring message with a malicious queue name. The lack of validation enables writing to arbitrary internal queues, granting access to privileged areas and facilitating remote code execution on the server. Exploitation requires network access and high attack complexity but no user interaction.
The official advisory at https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/ details the issue, with mitigation achieved by upgrading to Velociraptor version 0.76.2 or later, which addresses the input validation flaw in the message handler.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables an authenticated remote attacker to exploit the Velociraptor server via crafted monitoring messages, allowing arbitrary writes to privileged queues and potential RCE, directly facilitating Exploitation of Remote Services (T1210).