CVSS 8.8 - workflow action command execution risk
SOAR workflow check
Rapid7 InsightConnect Linux plugin CVE batch self-check
Four CVEs published on June 25, 2026 affect Linux actions in Rapid7 InsightConnect plugins. Treat this as a workflow-run review: which plugin actions exist, who can run them, what credentials they hold, and what evidence was produced by recent jobs.
Covered CVEs
CVSS 7.1 - workflow action file write risk
CVSS 7.7 - workflow action command execution risk
CVSS 7.7 - workflow action command execution risk
Who should check
- InsightConnect workspaces using Sed, AWK, or Translate plugin actions on Linux runners.
- Automation teams that allow non-admin users to trigger workflows containing these actions.
- SOAR environments where plugin credentials can reach production systems, ticketing, email, or cloud APIs.
Safe self-check
- Inventory workflows that use the affected plugin actions and note who can trigger them.
- Update or disable affected actions until the vendor-fixed plugin version is deployed.
- Review workflow run history, runner logs, generated files, and connector credential use.
- Rotate credentials if an affected action ran with broad access during the exposure window.
- Keep the plugin version, workflow ID, run timestamp, and sanitized runner logs for the handoff.
When to request help
Ask Ping7 for help if affected workflows touched production credentials, wrote files on a runner, or ran with unclear input sources. A repair case should include the CVE ID, plugin name, workflow ID, run timestamps, and sanitized logs.
Request CVE repair