PatchSiren cyber security CVE debrief
CVE-2026-8795 Rapid7 CVE debrief
CVE-2026-8795 is a high-severity vulnerability in Rapid7 Velociraptor, a threat detection and response platform. The vulnerability exists in the Windows.Collectors.Remapping artifact and allows for YAML injection attacks. An attacker can provide a crafted collection ZIP file that, when processed, injects arbitrary VQL code, leading to code execution with elevated privileges.
- Vendor
- Rapid7
- Product
- Velociraptor
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Security teams and administrators responsible for Rapid7 Velociraptor installations, particularly those using versions prior to 0.76.6, should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability arises from the hostname field in client_info.json inside a collection ZIP being inserted into a YAML template without proper escaping. This allows an attacker to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, the injected VQL code executes with NullACLManager, granting all permissions and running unsandboxed.
Defensive priority
High
Recommended defensive actions
- Upgrade Rapid7 Velociraptor to version 0.76.6 or later.
- Restrict access to collection ZIP files to prevent tampering.
- Monitor for suspicious activity and VQL execution.
Evidence notes
The CVE-2026-8795 record was published on June 9, 2026, and last modified on June 9, 2026. The vulnerability has a CVSS score of 7.8 and is classified as HIGH severity.
Official resources
-
CVE-2026-8795 CVE record
CVE.org
-
CVE-2026-8795 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-8795 was published on 2026-06-09T01:16:47.470Z and modified on 2026-06-09T13:49:39.993Z.