CVE-2026-6863
Received Received - Intake
Authorization Bypass in Velociraptor HTTP API

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: Rapid7, Inc.

Description
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-6863
EUVD
EUVD-2026-27844
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
velociraptor velociraptor to 0.76.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

Velociraptor versions prior to 0.76.4 have a security flaw in their HTTP API that allows a user with only the reader role in the root organization to bypass authorization controls. This means that even though the reader role is supposed to have very limited permissions (only able to read results within their own organization), such a user can perform a single authenticated HTTP GET request to access files from other organizations without having explicit permissions for those organizations.

Importantly, this vulnerability only works in one direction: a user with read access to a sub-organization cannot use this flaw to access data from the root organization or other organizations.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized data disclosure across organizational boundaries within Velociraptor. A user with minimal read permissions in the root organization could access sensitive files from other organizations that they should not have permission to view. This could result in exposure of confidential or sensitive information, potentially leading to data breaches or loss of trust.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthorized reading of files across organizations by users with minimal permissions, which can lead to unauthorized disclosure of sensitive data.

Such unauthorized data access can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on data confidentiality and access.

Because the vulnerability results in a confidentiality impact, organizations using affected Velociraptor versions may face increased risk of non-compliance due to potential data breaches.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the CVE-2026-6863 vulnerability, you should upgrade Velociraptor to the latest patched versions.

  • Upgrade to version 0.76.4 if you are using the 0.76 release series.
  • Upgrade to version 0.75.9 if you are using the 0.75 release series.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart