CVE-2026-8664 Rapid7 CVE debrief

Who should care

Security teams and administrators responsible for Rapid7 InsightConnect Finger Plugin on Linux should be aware of this vulnerability. They should assess their exposure and take necessary steps to mitigate the risk. This vulnerability requires authentication and has a medium severity, but it can still have significant impacts if exploited.

Technical summary

The OS Command Injection vulnerability in Rapid7 InsightConnect Finger Plugin on Linux allows authenticated attackers to execute arbitrary OS commands. This is due to insufficient input validation in shell command construction, specifically with the user or host parameters. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L, indicating a medium severity. The CWE associated with this vulnerability is CWE-78.

Defensive priority

Medium priority should be given to addressing this vulnerability, as it requires authentication but can still lead to significant impacts if exploited. Security teams should prioritize patching or mitigating this vulnerability in their environment.

Recommended defensive actions

• Assess exposure to CVE-2026-8664 in the environment
• Apply patches or updates provided by Rapid7 for InsightConnect Finger Plugin
• Implement compensating controls such as restricting access to the plugin
• Monitor for suspicious activity related to the plugin
• Review and update incident response plans to include this vulnerability

Evidence notes

The CVE record and NVD detail provide official information on this vulnerability. The CVE was published on June 25, 2026, and last modified on June 29, 2026. The vulnerability is considered Analyzed by the NVD. A product reference is provided for the InsightConnect Finger Plugin.

Official resources