CVE-2026-7573
Authorization Bypass in Velociraptor gRPC API
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Rapid7, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| velocidex | velociraptor | to 0.76.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Velociraptor to version 0.76.5 or later, where the authorization bypass issue is fixed.
Additionally, securing high-privilege accounts with two-factor authentication (2FA) and Single Sign-On (SSO) is recommended to reduce the risk of attackers leveraging exposed roles and permissions.
Can you explain this vulnerability to me?
CVE-2026-7573 is an authorization bypass vulnerability in the GetUserRoles gRPC API endpoint of Velociraptor versions below 0.76.5.
It allows any authenticated low-privilege user to retrieve the complete access control list (ACL) policy, including roles and permissions, for any user across all organizations by supplying targeted Name and Org parameters in a network request.
The vulnerability arises from improper authorization checks (CWE-639) and requires the attacker to know the target user's organization ID and username.
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker with low privileges to enumerate roles and permissions of any user across all organizations.
While the exposed data cannot be directly used for further attacks, it can help attackers identify and target high-privilege accounts.
This could lead to increased risk of privilege escalation or targeted attacks on sensitive accounts.
Recommended mitigations include securing high-privilege accounts with two-factor authentication and single sign-on (SSO), or upgrading Velociraptor to version 0.76.5 or later.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network requests to the GetUserRoles gRPC API endpoint in Velociraptor for unusual or unauthorized queries that include targeted Name and Org parameters.
Specifically, detection involves identifying any authenticated low-privilege user making requests that attempt to enumerate ACL policies (roles and permissions) for other users across organizations.
While no explicit commands are provided, network traffic analysis tools or gRPC request logging can be used to inspect calls to the GetUserRoles endpoint with suspicious parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows low-privilege authenticated users to retrieve complete ACL policies, including roles and permissions, for any user across all organizations. While the exposed data does not include direct personal or sensitive information, the unauthorized disclosure of access control details could potentially aid attackers in targeting high-privilege accounts.
This exposure of authorization data may impact compliance with standards like GDPR or HIPAA, which require strict controls over access to sensitive information and user data. Unauthorized access to role and permission information could be considered a failure in access control mechanisms, potentially leading to non-compliance with these regulations.
Mitigations such as enforcing two-factor authentication and single sign-on for high-privilege accounts, or upgrading to a fixed version, are recommended to reduce the risk and help maintain compliance.