External risk intelligence

Rapid7 InsightConnect Translate Plugin Command Injection

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-8665

Rapid7 InsightConnect is a security orchestration and automation platform (SOAR) typically deployed as an internet-facing gateway or service to integrate with external tools and APIs. Plugins used within this platform often process external input, making them reachable components of an externally exposed management and automation surface.

OS Command Injection

Rapid7 Insightconnect Translate

before 2.0.3

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in a Rapid7 plugin for Linux systems that could allow remote attackers to execute unauthorized operating system commands. This is due to insufficient security checks on input used to build commands.

  • Remote command execution through a software plugin.
  • Affects a security automation platform.
  • Confirm if the plugin is deployed and in use.

Attack Path

How an attacker could exploit the issue

Attackers can exploit this vulnerability by sending specially crafted data to the Rapid7 InsightConnect Translate Plugin. This plugin, when processing text or expression inputs, fails to properly sanitize data before incorporating it into system commands. If successful, an attacker could execute arbitrary operating system commands on the affected Linux system.

  • Requires no user interaction.
  • Vulnerable component processes untrusted input.
  • Enables arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow remote attackers to execute arbitrary operating system commands on a Linux system when the Rapid7 InsightConnect Translate Plugin processes specially crafted text or expression parameters. This could occur when the plugin's shell command construction fails to adequately sanitize user-supplied input.

  • OS commands could be executed.
  • Via text or expression parameters.
  • System compromise is possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

The TR action within the Rapid7 InsightConnect Translate Plugin is susceptible to OS Command Injection due to insufficient input sanitization. This vulnerability, present on Linux, allows remote, unauthenticated attackers to execute arbitrary OS commands by manipulating the text or expression parameters. Identifying instances of the InsightConnect Translate Plugin, confirming their reachability and business criticality, and then assigning ownership for remediation are the immediate next steps.

  • Owning team: Platform or Application Owners.
  • Verify: Plugin reachability and critical business function.
  • Action: Plan remediation considering vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Rapid7 InsightConnect Translate plugin?

It is a specialized software component used within the Rapid7 InsightConnect platform, which serves as a security orchestration, automation, and response (SOAR) tool. These plugins function as connectors that allow the automation platform to interface with external services, tools, and APIs to perform tasks like translating data or communicating with other systems.

What does OS Command Injection mean for CVE-2026-8665?

This vulnerability, classified as CWE-78, occurs when software takes untrusted input and uses it to construct a command for the underlying operating system without proper validation. Because the Translate plugin does not sufficiently sanitize the text or expression parameters it processes, an attacker can insert their own commands into these fields, tricking the system into running malicious instructions.

How does an attacker trigger this command injection?

An attacker triggers the vulnerability by sending specially crafted, malicious data to the plugin's text or expression input fields. It is important to note that this flaw specifically relates to how the plugin constructs shell commands; it is not triggered by standard, legitimate configuration changes or typical administrative activities that do not involve passing arbitrary, unverified input to the plugin's processing logic.

Is my system at risk according to Halo Surface Signal?

According to Halo Surface Signal, this vulnerability is particularly relevant if your InsightConnect instance is deployed as an internet-facing gateway or service. Because SOAR platforms are often designed to integrate with external tools and APIs, they may already reside on your network's perimeter, making components like this plugin reachable to remote, unauthenticated actors on the internet.

What should I do if I use this plugin?

Your first step is to confirm whether the InsightConnect Translate plugin is installed and active in your environment. If it is in use, determine its reachability and assess its role in your business processes. Coordinate with the teams responsible for your security automation platform to monitor vendor guidance and prioritize the necessary updates to remove the vulnerable component.

References