Rapid7 Insightvm

Rapid7 InsightVM ACS Endpoint Signature Verification Bypass <8.34.0
CVE-2026-1568 9.6 - Critical - February 03, 2026

Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.

Improper Verification of Cryptographic Signature

Rapid7 InsightVM Console DoS via REST Flood <6.6.260
CVE-2024-6504 4.3 - Medium - July 18, 2024

Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261.

Allocation of Resources Without Limits or Throttling

Rapid7 InsightVM Sensitive Info Leak in Login (Pre-6.6.244)
CVE-2024-2745 3.3 - Low - April 02, 2024

Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded.  This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc.     The vulnerability is remediated in version 6.6.244. 

InsightVM Insufficient Session Expiration on Admin Password Change
CVE-2021-3844 5.4 - Medium - March 24, 2023

Rapid7 InsightVM suffers from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage. This vulnerability is mitigated by the use of the Platform Login feature. This issue is related to CVE-2019-5638.

Insufficient Session Expiration

Rapid7 InsightVM <=6.6.178 Open Redirect via d/c/r page param
CVE-2023-0681 6.1 - Medium - March 20, 2023

Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attackers choice using the page parameter of the data/console/redirect component of the application. This issue was resolved in the February, 2023 release of version 6.6.179.

Open Redirect

Rapid7 Nexpose/InsightVM SSH Host Keys Reused Across VMs (CVE-2017-5242)
CVE-2017-5242 7.7 - High - January 12, 2023

Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots.

Use of Insufficiently Random Values

Rapid7 Nexpose/InsightVM Update Auth Validation Flaw CVE-2022-4261 (6.6.172)
CVE-2022-4261 6.5 - Medium - December 08, 2022

Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.

Download of Code Without Integrity Check

Rapid7 InsightVM Info Exposure via Session Expiry & Client DOM Mod
CVE-2019-5641 5.3 - Medium - September 21, 2022

Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user

Insufficient Session Expiration

Users with Site-level permissions
CVE-2019-5615 7.5 - High - April 09, 2019

Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. Valid credentials are required to access these files and malicious users would still need to perform additional work to decrypt the credentials and escalate privileges. This issue affects: Rapid7 InsightVM versions 6.5.11 through 6.5.49.

Credentials Management Errors