Home

Description

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

PUBLISHED Reserved 2026-04-22 | Published 2026-05-06 | Updated 2026-05-06 | Assigner rapid7




MEDIUM: 6.8CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-863 Improper Authorization

Product status

Default status
unaffected

Any version before 0.76.4, 0.75.9
affected

Credits

We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly. finder

References

docs.velociraptor.app/...uncements/advisories/cve-2026-6863/

cve.org (CVE-2026-6863)

nvd.nist.gov (CVE-2026-6863)

Download JSON