CVE-2026-8795: Rapid7 Velociraptor YAML Injection in Remapping Artifact (v0.76.6)
Rapid7 Velociraptor contains a vulnerability where specially crafted evidence collections can inject malicious code into YAML configuration files. When a security analyst processes a compromised collection using Velociraptor's remapping feature, arbitrary commands execute on their workstation with full permissions. The attack requires an attacker to control a collection ZIP file (obtained through network compromise or social engineering) and a user to run a specific analysis command. This is a local privilege escalation risk for incident response teams.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-116, CWE-74, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8795 is a YAML injection vulnerability in Velociraptor's Windows.Collectors.Remapping artifact. The vulnerability stems from unsafe template rendering: the hostname field from client_info.json is directly interpolated into a Go text/template YAML document without sanitization. An attacker can craft a hostname containing literal newlines and double-quote characters to escape the YAML quoted string context and inject arbitrary mount remapping directives. When an analyst applies the generated remapping configuration with the --remap flag, the injected VQL payload executes under NullACLManager permissions, which grants unrestricted access to filesystem and system operations without sandboxing constraints.
Business impact
Incident response and forensics teams using Velociraptor face operational risk during evidence triage. A compromised endpoint collection, either from an attacker-controlled machine or intercepted in transit, can weaponize the analysis workflow itself. An analyst reviewing what appears to be routine forensic artifacts inadvertently triggers code execution on their investigative workstation. This compromises the integrity of the investigation, risks lateral movement into the incident response infrastructure, and potentially exposes access credentials or other sensitive investigative data. For organizations relying on Velociraptor for rapid incident response, this creates a vector where the response process becomes an attack surface.
Affected systems
Rapid7 Velociraptor versions prior to 0.76.6 are affected. The vulnerability is specific to Windows artifact collection processing and remapping workflows, though the underlying template injection is in the core artifact engine. The risk is highest in environments where analysts process collections from untrusted endpoints or where collections transit insecure channels before local analysis.
Exploitability
Exploitation requires two preconditions: (1) an attacker must supply a malicious collection ZIP, typically by compromising an endpoint or intercepting network transmission, and (2) an analyst must actively invoke the --remap flag during local analysis. The technical barrier is low—crafting a hostname with YAML injection payloads is straightforward—but the social/operational barrier is non-trivial because the analyst must consciously choose to apply remapping. No authentication bypass or network interaction is required once the ZIP is obtained. This is classified as a local attack vector with user interaction required (CVSS AV:L/UI:R), but the impact is severe because execution happens outside sandboxing.
Remediation
Upgrade Rapid7 Velociraptor to version 0.76.6 or later. The patched version implements proper escaping or safe templating for hostname and other user-controlled fields before YAML generation. Organizations unable to patch immediately should restrict --remap usage to collections sourced from trusted, air-gapped systems and educate analysts on risks of processing evidence from potentially compromised endpoints without additional validation.
Patch guidance
Apply Rapid7 Velociraptor version 0.76.6 or later as soon as feasible. Verify the patch availability through the official Rapid7 release channels or your software distribution process. If operating an enterprise Velociraptor deployment, prioritize updates to analyst workstations and central server instances. No interim mitigations substitute for patching; the vulnerability is inherent to the artifact template engine in affected versions.
Detection guidance
Monitor for suspicious VQL execution on analyst workstations, particularly commands executed with elevated permissions or those accessing filesystem recursively (common in post-exploitation). Examine client_info.json files within collection ZIPs for hostname fields containing escaped quotes, newlines, or YAML syntax characters—these are red flags for injection attempts. Audit logs from Velociraptor collectors should be reviewed for unexpected collection metadata or hostname anomalies. Consider restricting --remap usage to a controlled environment pending patching.
Why prioritize this
This vulnerability merits immediate attention despite moderate attack complexity because it inverts the trust model of forensic analysis—the response activity itself becomes a compromise vector. The CVSS 7.8 HIGH score reflects severe impact (code execution, full confidentiality/integrity/availability compromise) combined with local-only distribution. Organizations with active incident response programs should deprioritize based on the constraint that the attacker must successfully deliver a collection, but should not delay patching beyond the next maintenance window.
Risk score, explained
CVSS 3.1 score of 7.8 (HIGH) reflects: Attack Vector Local—the malicious collection must reach the analyst's workstation; Attack Complexity Low—YAML injection is trivial to craft; Privileges Required None—no prior access needed once the ZIP is obtained; User Interaction Required—analyst must actively use --remap; Scope Unchanged—impact is confined to the analyst's machine; Confidentiality/Integrity/Availability all High—arbitrary code execution with full permissions. The score appropriately elevates this beyond a typical template injection because the execution context (NullACLManager, unsandboxed) eliminates compensating controls.
Frequently asked questions
Can this vulnerability be exploited remotely without physical access or a collection file?
No. The attack requires the analyst to process a malicious collection ZIP file. The ZIP is local-only; it must be obtained through endpoint compromise, network interception, or social engineering. Remote network access alone is insufficient.
If I block use of the --remap flag, am I protected?
Blocking --remap eliminates the exploitation path, but this is a workaround rather than a fix. Remapping is a legitimate feature for forensic analysis. The proper solution is to upgrade to 0.76.6. If you must restrict remapping, also educate analysts that the underlying vulnerability exists in the artifact engine and could potentially be leveraged through other code paths in future versions.
How do I identify if a collection ZIP has been maliciously modified?
Examine the client_info.json hostname field for unusual characters (literal quotes, newlines, backslashes, or YAML punctuation). Validate the SHA-256 hash of collection ZIPs against a known-good baseline if collections are stored. Cryptographic signing of collections at source would also prevent tampering, but Velociraptor's native artifact transport does not mandate this.
Does this affect Velociraptor server deployments or only analyst workstations?
The vulnerability is triggered on the analyst's local machine during the --remap operation. However, if a Velociraptor server processes or stores malicious collections and serves them to analysts, it amplifies risk. Ensure your server deployment is also on 0.76.6 or later, and validate collection integrity at ingest.
This analysis is based on published vulnerability data and vendor advisories as of the publication date. Organizations should verify patch availability and compatibility with their specific Velociraptor version before deployment. No exploitation code or detailed proof-of-concept is provided. Guidance assumes standard incident response workflows; air-gapped or disconnected environments may require additional validation procedures. SEC.co makes no warranty regarding the completeness or applicability of this guidance to your specific environment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10175MEDIUMCode Injection in Aider-AI Aider 0.86.3 – Exploit Available
- CVE-2026-10688MEDIUMCode Injection in ahujasid blender-mcp
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk