CVE-2026-5329
Published: 09 April 2026
Summary
CVE-2026-5329 is a high-severity Improper Input Validation (CWE-20) vulnerability in Rapid7 Velociraptor. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of client-supplied queue names in monitoring messages to ensure consistency with expected formats, preventing arbitrary writes to privileged internal queues.
Restricts queue names supplied by authenticated clients to an approved allowlist, blocking malicious names that target privileged internal server queues.
Enforces approved access authorizations in the message handler to block unauthorized writes to privileged queues despite invalid inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables an authenticated remote attacker to exploit the Velociraptor server via crafted monitoring messages, allowing arbitrary writes to privileged queues and potential RCE, directly facilitating Exploitation of Remote Services (T1210).
NVD Description
Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted…
more
monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.
Deeper analysisAI
CVE-2026-5329 is an improper input validation vulnerability (CWE-20) in the client monitoring message handler on the Velociraptor server, primarily affecting Linux deployments. It impacts Rapid7 Velociraptor versions prior to 0.76.2, where the server does not sufficiently validate queue names supplied by clients in monitoring messages. This allows an authenticated remote attacker to write arbitrary messages to privileged internal server queues, potentially leading to remote code execution. The vulnerability has a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). Rapid7 Hosted Velociraptor instances are not affected.
An authenticated remote attacker with low privileges, acting as a rogue client, can exploit this by crafting a monitoring message with a malicious queue name. The lack of validation enables writing to arbitrary internal queues, granting access to privileged areas and facilitating remote code execution on the server. Exploitation requires network access and high attack complexity but no user interaction.
The official advisory at https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/ details the issue, with mitigation achieved by upgrading to Velociraptor version 0.76.2 or later, which addresses the input validation flaw in the message handler.
Details
- CWE(s)