5 min read

Velociraptor Improper Input Validation CVE-2026-5329

Prepared by: Leighton Baker | Published: Thu 09 April 2026 

Executive Summary

Velociraptor contains an improper input validation vulnerability in the client monitoring message handler on the server component. This flaw allows an authenticated remote attacker (i.e. a rogue client) to send crafted monitoring messages that manipulate internal server queues.
Successful exploitation may result in remote code execution (RCE) on the Velociraptor server. This vulnerability cannot be mitigated through configuration changes and requires immediate patching.

What Happened

The vulnerability exists in how the Velociraptor server processes monitoring messages from clients. Specifically:

  • The server does not sufficiently validate the queue name supplied by clients

  • A malicious client can craft a message with a forged queue name.

  • This allows writing to arbitrary internal server queues, including privileged ones.

This behavior effectively breaks trust boundaries between clients and internal server processing mechanisms.

Why This Matters to Your Organisation

Velociraptor is typically deployed in sensitive environments for endpoint visibility and threat hunting. Exploitation of this vulnerability introduces significant risk:

  • Remote Code Execution (RCE): Attackers may execute arbitrary code on the server.

  • Full System Compromise: High impact across confidentiality, integrity, and availability.

  • Lateral Movement Risk: Compromised Velociraptor servers may be leveraged to pivot across monitored environments.

Because exploitation requires only low privileges and no user interaction, environments with untrusted or compromised clients are particularly exposed.

Who Should Review Their Environments

This bulletin is relevant to organisations that:

  • Operate Velociraptor servers on Linux

  • Allow multiple or distributed clients to connect to a central server

  • Use Velociraptor in security operations, DFIR, or endpoint monitoring

  • Manage environments where client integrity cannot be guaranteed

Technical Details

Affected Versions

Product: Velociraptor (Linux)

Affected Versions: Versions prior to 0.76.2 and 0.75.7

Note: Rapid7 Hosted Velociraptor instances are not affected.

  • CWE: CWE-1287 – Improper Validation of Specified Type of Input

  • CAPEC: CAPEC-253 / CAPEC-23 – Remote Code Inclusion

  • Attack Vector: Network

  • Privileges Required: Low

  • User Interaction: None

  • Scope: Changed

The vulnerability stems from insufficient validation of client-supplied queue identifiers in monitoring messages, allowing injection into privileged processing queues.

Impact

If exploited, this vulnerability may lead to:

  • Arbitrary message injection into internal queues

  • Execution of malicious workflows or commands

  • Remote code execution on the Velociraptor server

  • Potential compromise of connected infrastructure

Indicators of Compromise

There are no publicly defined IOCs specific to this vulnerability. However, organisations should monitor for:

  • Unexpected or anomalous queue activity

  • Unusual client message patterns

  • Unauthorized task execution within Velociraptor

  • Suspicious server-side process activity

Immediate Actions Required

  1. Upgrade Immediately

    • 0.76 branch → upgrade to v0.76.2

    • 0.75 branch → upgrade to v0.75.7

  2. Do Not Rely on Mitigations

    • This vulnerability cannot be mitigated via configuration changes

  3. Review Client Trust Model

    • Validate authenticity and integrity of connected clients

    • Investigate any potentially rogue or compromised clients

  4. Audit Server Activity

    • Review logs for abnormal queue usage or execution patterns

    • Investigate any signs of unauthorized actions

Triskele Labs SOC Response

Triskele Labs is monitoring for activity related to this vulnerability. Where telemetry is available, our SOC can assist with:

  • Identifying vulnerable Velociraptor deployments

  • Investigating anomalous client/server interactions

  • Assessing potential exploitation or compromise

  • Supporting containment and remediation efforts

For incident response or deeper investigation, DFIR services can be engaged. 

References