Velocidex Velociraptor has an Incorrect Authorization issue

GHSA-2v93-vp82-cjv8 · CVE-2026-6863 · GO-2026-4997

Published May 6, 2026 · Modified May 20, 2026

Description

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-6863
WEB https://docs.velociraptor.app/announcements/advisories/cve-2026-6863
PACKAGE https://github.com/Velocidex/velociraptor

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes