Immediate Updates
Upgrade to 2.8.4 and later where possible.
CRITICAL Vulnerability
VAPT-2026-00001 | Hybrid agent enrollment replay campaign
Public incident record tracking token replay in VAPT Hybrid Agent bootstrap workflows and the resulting rogue agent registration risk.
Case Overview
Case ReferenceVAPT-2026-00001
AuthorVAPT Research Desk
Researcher(s)
VAPT Research Desk
CVE(s)
ProductHybrid Agent 2.6-2.8
Version2.6.0 through 2.8.3
Recommendation
Upgrade to 2.8.4 and later where possible.
Workaround
Upgrade or rebuild toward 2.8.4 and later.
Status
Active
Last ModifiedApr 10, 2026, 13:43 UTC
Summary
Public incident record tracking token replay in VAPT Hybrid Agent bootstrap workflows and the resulting rogue agent registration risk.
Affected Scope
How Attackers Can Misuse This
- A successful replay allowed rogue agent onboarding inside the telemetry trust domain, exposing telemetry, control messages, and configuration handling to unauthorized systems.
Root Cause
Enrollment tokens issued during bootstrap were not invalidated consistently in a subset of hybrid provisioning paths. Captured bootstrap artifacts remained reusable until patch rollout and trust-anchor rotation.
record: VAPT-2026-00001
severity: CRITICAL
product: Hybrid Agent 2.6-2.8
target_versions: 2.6.0 through 2.8.3
linked_cves: CVE-2026-12644
cvss_vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWhat You Can Do
Treat as Compromised
Treat exposed management surfaces and previously issued credentials as potentially compromised.
Rotate Credentials
Rotate affected secrets, tokens, and privileged service credentials after remediation is applied.
Threat Hunting
Upgrade all affected agents, invalidate historical bootstrap tokens, rotate related trust material, and review enrollment logs for replay activity.
Tools
No downloadable tools or authenticated evidence packages are attached to this case.
What We Are Doing
VAPT case is currently marked active, with patch status reported as available. VAPT continues to keep the public lifecycle aligned with coordinated disclosure milestones and remediation visibility.
Timeline
| Date | Description |
|---|---|
| Feb 22, 2026 | Initial report received Researcher submitted the replay findings with bootstrap evidence and reproduction notes. |
| Mar 7, 2026 | Patch prepared Engineering shipped token invalidation changes and trust-anchor rotation guidance. |
| Mar 11, 2026 | Case published VAPT opened the public case page alongside the advisory and CVE publication. |
More Information
Sanitized bootstrap replay notes
Proof narrative describing enrollment replay preconditions and observed system responses.
Enrollment anomaly excerpts
Relevant redacted traces demonstrating duplicate onboarding events.