CVE-2026-4482 PUBLISHED

Insight Agent Private Key Information Disclosure via Inherited File Permissions

Assigner: rapid7
Reserved: 20.03.2026 Published: 10.04.2026 Updated: 10.04.2026

The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users have read and execute access). For the client.key file in particular, this could potentially lead to exploits, as this exposes agent identity material to any locally authenticated standard user.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:L
CVSS Score: 6.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	None	Availability	None	Availability	Low
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Rapid7
Product	Insight Agent
Versions	Default: unaffected affected from 0 to 4.1.0.2 (excl.)

Credits

Peter Gabaldon @ ITRESIT (https://itresit.es/en/home-en/) reporter

References

https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes

Problem Types

CWE-732 Incorrect Permission Assignment for Critical Resource CWE