CVE-2026-7573 - Vulnerability Details

- GetUserRoles API endpoint allows any authenticated user to enumerate ACL policies across all organizations

Description

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.

Published: 2026-05-06

Score: 5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The GetUserRoles gRPC API in Velocidex Velociraptor contains an authorization bypass flaw (CWE‑639). If an attacker can authentically log in with a low‑privilege account, they may supply a target user’s name and organization in the request and receive the entire ACL policy for that user, revealing the roles and permissions granted to them. This grants wide visibility into the authorization structure, which could be leveraged to plan privilege escalation attacks.

Affected Systems

Velocidex Velociraptor installations running any version earlier than 0.76.5 are vulnerable; the flaw exists in all releases before this update.

Risk and Exploitability

The vulnerability receives a CVSS score of 5.0 and is currently not tracked in the KEV catalog, with no EPSS data available. It requires network access to the gRPC endpoint and valid user credentials, so it can be exploited by legitimate users with low permissions. Because the impact is the disclosure of internal role information rather than service disruption or direct code execution, the overall risk is medium, but the information gained could facilitate subsequent attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Velocidex

velociraptor

unaffected

Version	Status	Constraints
`0`	affected	< 0.76.5

Configuration 1 [-]

AND

cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Velocidex

Velociraptor

100%

Version	Status	Scheme	Platform
`[0,0.76.5)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Velocidex Velociraptor 0.76.5 or later, which fixes the authorization bypass in the GetUserRoles API.
If an upgrade is not immediately feasible, restrict or disable the GetUserRoles endpoint for non‑admin users and enforce stricter RBAC checks before returning any policy data.
Implement monitoring and alerting on the GetUserRoles API to detect anomalous usage patterns by low‑privileged accounts.

Generated by OpenCVE AI on May 6, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-3c93-g9g6-p5j4	Velocidex Velociraptor has an authorization bypass vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel Rapid7 Rapid7 velociraptor
CPEs		cpe:2.3:a:rapid7:velociraptor:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::*
Vendors & Products		Linux Linux linux Kernel Rapid7 Rapid7 velociraptor

Wed, 06 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 06 May 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Velocidex Velocidex velociraptor
Vendors & Products		Velocidex Velocidex velociraptor

Wed, 06 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.
Title		GetUserRoles API endpoint allows any authenticated user to enumerate ACL policies across all organizations
Weaknesses		CWE-639
References		https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}`

Subscriptions

Linux Linux Kernel

Rapid7 Velociraptor

Velocidex Velociraptor

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2026-05-06T02:15:34.491Z

Updated: 2026-05-06T16:17:18.756Z

Reserved: 2026-05-01T00:05:56.823Z

Link: CVE-2026-7573

Vulnrichment

Updated: 2026-05-06T16:16:51.311Z

NVD

Status : Analyzed

Published: 2026-05-06T03:15:59.440

Modified: 2026-06-01T16:58:59.007

Link: CVE-2026-7573

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T09:21:20Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object