CVE-2026-6863

Published: May 6, 2026

Modified: May 6, 2026

PUBLISHED

CVSS v3.1

6.8

MEDIUM

Description

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

Vendor	Product	Versions
Rapid7	Velociraptor	affected `0 - < 0.76.4, 0.75.9`

Weaknesses (CWE)

CWE-863

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-6863

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References