cbcvebase.

Rapid7 Velociraptor vulnerabilities

20 known vulnerabilities affecting rapid7/velociraptor.

Total CVEs
20
CISA KEV
0
Public exploits
0
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH4MEDIUM14LOW1

Vulnerabilities

Page 1 of 1
CVE-2025-6264P1MEDIUMCVSS 5.5ExploitedRansomwarefixed in 0.74.32025-06-20
CVE-2025-6264 [MEDIUM] CWE-276 CVE-2025-6264: Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifact Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used
nvd
CVE-2023-0242P3HIGHCVSS 8.8fixed in 0.6.7-52023-01-18
CVE-2023-0242 [HIGH] CWE-269 CVE-2023-0242: Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrato Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server. The VQL copy() function applies permission checks for readi
nvd
CVE-2026-6290P3CRITICALCVSS 9.1fixed in 0.76.3fixed in 0.76.3, 0.75.82026-04-15
CVE-2026-6290 [CRITICAL] CWE-863 CVE-2026-6290: Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows acc Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions
nvd
CVE-2026-7573P3HIGHCVSS 7.7fixed in 0.76.52026-05-06
CVE-2026-7573 [HIGH] CWE-639 CVE-2026-7573: An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor be An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.
nvd
CVE-2026-5329P3MEDIUMCVSS 6.5≤ 0.75.6≥ 0.76, < 0.76.32026-04-09
CVE-2026-5329 [MEDIUM] CWE-20 CVE-2026-5329: Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in t Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler t
nvd
CVE-2025-14728P3MEDIUMCVSS 6.8fixed in 0.75.62025-12-29
CVE-2025-14728 [MEDIUM] CWE-22 CVE-2025-14728: Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a "
nvd
CVE-2026-8795P3HIGHCVSS 7.8fixed in 0.76.62026-06-09
CVE-2026-8795 [HIGH] CWE-74 CVE-2026-8795: A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velocir A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newl
nvd
CVE-2024-10526P3HIGHCVSS 8.6v<0.73.22024-11-07
CVE-2024-10526 [HIGH] CWE-552 CVE-2024-10526: Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creat Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local us
nvd
CVE-2026-6863P3MEDIUMCVSS 6.8fixed in 0.76.4, 0.75.92026-05-06
CVE-2026-6863 [MEDIUM] CWE-863 CVE-2026-6863: Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permis
nvd
CVE-2023-2226P4MEDIUMCVSS 5.3fixed in 0.6.82023-04-21
CVE-2023-2226 [MEDIUM] CWE-125 CVE-2023-2226: Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier t Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files. For this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect a
nvd
CVE-2022-35629P4MEDIUMCVSS 5.4fixed in 0.6.5-2≥ 0.6.5-2, < 0.6.5-22022-07-29
CVE-2022-35629 [MEDIUM] CWE-287 CVE-2022-35629: Due to a bug in the handling of the communication between the client and server, it was possible for Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2.
nvd
CVE-2023-5950P4MEDIUMCVSS 6.1fixed in 0.6.9-1v0.7.0+2 more2023-11-06
CVE-2023-5950 [MEDIUM] CWE-79 CVE-2023-5950: Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerabi Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patche
nvd
CVE-2026-6948P4MEDIUMCVSS 4.9fixed in 0.76.4fixed in 0.75.92026-05-04
CVE-2026-6948 [MEDIUM] CWE-770 CVE-2026-6948: Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's ag Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.
nvd
CVE-2023-0290P4MEDIUMCVSS 4.3fixed in 0.6.7-52023-01-18
CVE-2023-0290 [MEDIUM] CWE-22 CVE-2023-0290: Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, a Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collectio
nvd
CVE-2022-35630P4MEDIUMCVSS 6.1fixed in 0.6.5-2≥ 0.6.5-2, < 0.6.5-22022-07-29
CVE-2022-35630 [MEDIUM] CWE-79 CVE-2022-35630: A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2.
nvd
CVE-2022-35631P4MEDIUMCVSS 5.5fixed in 0.6.5-2≥ 0.6.5-2, < 0.6.5-22022-07-29
CVE-2022-35631 [MEDIUM] CWE-377 CVE-2022-35631: On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable fil On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2.
nvd
CVE-2021-3619P4MEDIUMCVSS 4.8fixed in 0.6.0≥ 0.5.9, ≤ 0.5.92021-07-22
CVE-2021-3619 [MEDIUM] CWE-79 CVE-2021-3619: Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scr Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that login rights to Velociraptor is nearly always reserved for trusted and ver
nvd
CVE-2026-7572P4MEDIUMCVSS 5.5fixed in 0.76.52026-05-06
CVE-2026-7572 [MEDIUM] CWE-193 CVE-2026-7572: An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocide An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin.
nvd
CVE-2022-35632P4MEDIUMCVSS 4.8fixed in 0.6.5-2≥ 0.6.5-2, < 0.6.5-22022-07-29
CVE-2022-35632 [MEDIUM] CWE-79 CVE-2022-35632: The Velociraptor GUI contains an editor suggestion feature that can display the description field of The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2.
nvd
CVE-2025-0914P4LOWCVSS 3.8fixed in 0.73.42025-02-27
CVE-2025-0914 [LOW] CWE-281 CVE-2025-0914: An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only a
nvd
Rapid7 Velociraptor vulnerabilities | cvebase