CVE-2026-6863

EUVD-2026-27844

06.05.2026, 16:16

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.



However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Vulnerability Media Exposure

[GERMAN] Rapid7 Velociraptor: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Rapid7 Velociraptor ausnutzen, um Informationen offenzulegen, und um einen Denial of Service Angriff durchzuführen.
Published: 2026-04-28T22:00:00+00:00

References

https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/