Mitigation Strategies

Immediate mitigation steps include upgrading Velociraptor to version 0.76.5 or later, where the authorization bypass issue is fixed.

Additionally, securing high-privilege accounts with two-factor authentication (2FA) and Single Sign-On (SSO) is recommended to reduce the risk of attackers leveraging exposed roles and permissions.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-7573 is an authorization bypass vulnerability in the GetUserRoles gRPC API endpoint of Velociraptor versions below 0.76.5.

It allows any authenticated low-privilege user to retrieve the complete access control list (ACL) policy, including roles and permissions, for any user across all organizations by supplying targeted Name and Org parameters in a network request.

The vulnerability arises from improper authorization checks (CWE-639) and requires the attacker to know the target user's organization ID and username.

Useful 0 Not Useful 0

Impact Analysis

Exploiting this vulnerability allows an attacker with low privileges to enumerate roles and permissions of any user across all organizations.

While the exposed data cannot be directly used for further attacks, it can help attackers identify and target high-privilege accounts.

This could lead to increased risk of privilege escalation or targeted attacks on sensitive accounts.

Recommended mitigations include securing high-privilege accounts with two-factor authentication and single sign-on (SSO), or upgrading Velociraptor to version 0.76.5 or later.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network requests to the GetUserRoles gRPC API endpoint in Velociraptor for unusual or unauthorized queries that include targeted Name and Org parameters.

Specifically, detection involves identifying any authenticated low-privilege user making requests that attempt to enumerate ACL policies (roles and permissions) for other users across organizations.

While no explicit commands are provided, network traffic analysis tools or gRPC request logging can be used to inspect calls to the GetUserRoles endpoint with suspicious parameters.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows low-privilege authenticated users to retrieve complete ACL policies, including roles and permissions, for any user across all organizations. While the exposed data does not include direct personal or sensitive information, the unauthorized disclosure of access control details could potentially aid attackers in targeting high-privilege accounts.

This exposure of authorization data may impact compliance with standards like GDPR or HIPAA, which require strict controls over access to sensitive information and user data. Unauthorized access to role and permission information could be considered a failure in access control mechanisms, potentially leading to non-compliance with these regulations.

Mitigations such as enforcing two-factor authentication and single sign-on for high-privilege accounts, or upgrading to a fixed version, are recommended to reduce the risk and help maintain compliance.

Useful 0 Not Useful 0