CVE-2026-8795

Summary

A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with –remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).

Affected Software

VendorProductVersion RangeStatus
Rapid7Velociraptor0 < 0.76.6affected

Weaknesses

  • CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-116: CWE-116: Improper Encoding or Escaping of Output

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References