Description
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.



However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
Published: 2026-05-06
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Velociraptor servers that run on a root organization allow a user with only the reader role to issue an HTTP GET and read any files stored by other organizations, bypassing intended isolation boundaries. This is a cross‑organization authorization bypass (CWE‑863) that permits attackers to read confidential data, compromising the confidentiality of all organizations the server manages.

Affected Systems

Rapid7 Velociraptor server builds prior to 0.76.4, including all 0.75.x releases, suffer from the flaw. The vulnerability specifically targets the HTTP API handling the filestore endpoints and does not affect other components of the application.

Risk and Exploitability

The CVSS score is 6.8, denoting moderate severity, and the flaw can be exploited remotely via a single authenticated HTTP GET request. No EPSS score is available and the issue is not listed in CISA KEV, indicating no public exploitation has been reported yet. Despite this, the ability to read cross‑organization files makes it a moderate‑risk vulnerability that warrants prompt action.

Generated by OpenCVE AI on May 6, 2026 at 16:29 UTC.

Remediation

Vendor Solution

To remediate, you will need to  upgrade your server https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade  to the latest version of your release: * For 0.76 releases, upgrade immediately to  v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64 * For 0.75 releases, upgrade immediately to  v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64

OpenCVE Recommended Actions

  • Upgrade Velociraptor to v0.76.4 or later; for 0.75 releases upgrade to v0.75.9 following the in‑place upgrade instructions from Velociraptor documentation.
  • After upgrading, confirm that a reader role in the root organization can no longer access files from other organizations by performing a test HTTP GET against a file in a target organization.
  • Until the upgrade is completed, restrict or remove the root organization reader role from all users, or configure network policies to block HTTP access to the filestore endpoints for unauthenticated traffic.

Generated by OpenCVE AI on May 6, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Rapid7
Rapid7 velociraptor
Vendors & Products Rapid7
Rapid7 velociraptor

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
Title HTTP Filestore Endpoints Misapply Permissions Across Organizations
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Rapid7 Velociraptor
cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published:

Updated: 2026-05-06T15:27:40.088Z

Reserved: 2026-04-22T14:25:24.122Z

Link: CVE-2026-6863

cve-icon Vulnrichment

Updated: 2026-05-06T15:27:36.566Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T16:16:12.030

Modified: 2026-05-07T14:56:04.523

Link: CVE-2026-6863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:14Z

Weaknesses