CVE-2026-6863
Awaiting Analysis Awaiting Analysis - Queue
Authorization Bypass in Velociraptor HTTP API

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: Rapid7, Inc.

Description
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6863
EUVD
EUVD-2026-27844
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
velociraptor velociraptor to 0.76.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Velociraptor versions prior to 0.76.4 have a security flaw in their HTTP API that allows a user with only the reader role in the root organization to bypass authorization controls. This means that even though the reader role is supposed to have very limited permissions (only able to read results within their own organization), such a user can perform a single authenticated HTTP GET request to access files from other organizations without having explicit permissions for those organizations.

Importantly, this vulnerability only works in one direction: a user with read access to a sub-organization cannot use this flaw to access data from the root organization or other organizations.

Impact Analysis

This vulnerability can lead to unauthorized data disclosure across organizational boundaries within Velociraptor. A user with minimal read permissions in the root organization could access sensitive files from other organizations that they should not have permission to view. This could result in exposure of confidential or sensitive information, potentially leading to data breaches or loss of trust.

Compliance Impact

The vulnerability allows unauthorized reading of files across organizations by users with minimal permissions, which can lead to unauthorized disclosure of sensitive data.

Such unauthorized data access can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on data confidentiality and access.

Because the vulnerability results in a confidentiality impact, organizations using affected Velociraptor versions may face increased risk of non-compliance due to potential data breaches.

Mitigation Strategies

To mitigate the CVE-2026-6863 vulnerability, you should upgrade Velociraptor to the latest patched versions.

  • Upgrade to version 0.76.4 if you are using the 0.76 release series.
  • Upgrade to version 0.75.9 if you are using the 0.75 release series.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6863. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart