CVE-2026-6290
Insecure Access Control in Velociraptor query() Plugin Allows Data Exposure
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: Rapid7, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rapid7 | velociraptor | to 0.76.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6290 is a high-severity vulnerability in Velociraptor versions prior to 0.76.3, specifically in the query() plugin.
The vulnerability arises from incorrect authorization where the query() plugin allows an authenticated GUI user with access to one organization (org) to run VQL queries on other orgs they should not have access to.
The user inherits their permissions from the org containing the notebook, effectively allowing them to access data and perform actions across multiple orgs without proper authorization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access across organizational boundaries within Velociraptor deployments.
An attacker with high privileges in one org can exploit this flaw to access, modify, or disrupt data and operations in other orgs, impacting confidentiality, integrity, and availability.
Because the vulnerability allows scope change and affects multiple security aspects, it poses a significant risk to environments relying on org separation to restrict user access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-6290 vulnerability, you should disable the query() plugin by adding the following configuration to your server.config.yaml file:
security: denied_plugins: - query
Additionally, you should upgrade Velociraptor to version 0.76.3 (for 0.76 releases) or 0.75.8 (for 0.75 releases) to fully remediate the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with access to one organization to execute queries on other organizations without proper authorization, leading to unauthorized access to potentially sensitive data.
Such unauthorized access and potential data exposure can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict access controls and protection of confidential information.
The vulnerability results in a high impact on confidentiality, integrity, and availability, which are core principles in many compliance frameworks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection commands or methods to identify exploitation of CVE-2026-6290 on a network or system.