CVE-2026-6863
published 2026-05-06CVE-2026-6863: Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root…
PriorityP338medium6.8CVSS 3.1
AVNACLPRHUINSCCHINAN
EPSS
0.24%
14.4th percentile
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.
However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rapid7 | velociraptor | < 0.76.4, 0.75.9 | 0.76.4, 0.75.9 |
| www.velocidex.com | golang_velociraptor | >= 0 < 0.76.4 | 0.76.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2v93-vp82-cjv8: Velociraptor versions prior to 0
ghsa_unreviewed·2026-05-06
CVE-2026-6863 [MEDIUM] CWE-863 GHSA-2v93-vp82-cjv8: Velociraptor versions prior to 0
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.
However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
GHSA
Velocidex Velociraptor has an Incorrect Authorization issue
ghsa·2026-05-06
CVE-2026-6863 [MEDIUM] CWE-863 Velocidex Velociraptor has an Incorrect Authorization issue
Velocidex Velociraptor has an Incorrect Authorization issue
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.
However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-06
Published