CVE-2026-6290
Received Received - Intake
Insecure Access Control in Velociraptor query() Plugin Allows Data Exposure

Publication date: 2026-04-15

Last updated on: 2026-04-23

Assigner: Rapid7, Inc.

Description
Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6290
EUVD
EUVD-2026-22995
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rapid7 velociraptor to 0.76.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6290 is a high-severity vulnerability in Velociraptor versions prior to 0.76.3, specifically in the query() plugin.

The vulnerability arises from incorrect authorization where the query() plugin allows an authenticated GUI user with access to one organization (org) to run VQL queries on other orgs they should not have access to.

The user inherits their permissions from the org containing the notebook, effectively allowing them to access data and perform actions across multiple orgs without proper authorization.

Impact Analysis

This vulnerability can lead to unauthorized access across organizational boundaries within Velociraptor deployments.

An attacker with high privileges in one org can exploit this flaw to access, modify, or disrupt data and operations in other orgs, impacting confidentiality, integrity, and availability.

Because the vulnerability allows scope change and affects multiple security aspects, it poses a significant risk to environments relying on org separation to restrict user access.

Mitigation Strategies

To mitigate the CVE-2026-6290 vulnerability, you should disable the query() plugin by adding the following configuration to your server.config.yaml file:

security: denied_plugins: - query

Additionally, you should upgrade Velociraptor to version 0.76.3 (for 0.76 releases) or 0.75.8 (for 0.75 releases) to fully remediate the issue.

Compliance Impact

This vulnerability allows an authenticated user with access to one organization to execute queries on other organizations without proper authorization, leading to unauthorized access to potentially sensitive data.

Such unauthorized access and potential data exposure can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict access controls and protection of confidential information.

The vulnerability results in a high impact on confidentiality, integrity, and availability, which are core principles in many compliance frameworks.

Detection Guidance

There is no specific information provided about detection commands or methods to identify exploitation of CVE-2026-6290 on a network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6290. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart