CVE-2026-6863 - Vulnerability Details - OpenCVE

ReportizFlow

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rapid7	Velociraptor

No data.

No data.

References

Link	Providers
https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/

History

Wed, 06 May 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rapid7 Rapid7 velociraptor
Vendors & Products		Rapid7 Rapid7 velociraptor

Wed, 06 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
Title		HTTP Filestore Endpoints Misapply Permissions Across Organizations
Weaknesses		CWE-863
References		https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2026-05-06T14:50:55.631Z

Updated: 2026-05-06T15:27:40.088Z

Reserved: 2026-04-22T14:25:24.122Z

Link: CVE-2026-6863

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-06T16:16:12.030

Modified: 2026-05-06T16:16:12.030

Link: CVE-2026-6863

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6863", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "state": "PUBLISHED", "assignerShortName": "rapid7", "dateReserved": "2026-04-22T14:25:24.122Z", "datePublished": "2026-05-06T14:50:55.631Z", "dateUpdated": "2026-05-06T15:27:40.088Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2026-05-06T14:54:19.814Z"}, "title": "HTTP Filestore Endpoints Misapply Permissions Across Organizations", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Improper Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}], "affected": [{"vendor": "Rapid7", "product": "Velociraptor", "platforms": ["Linux"], "repo": "https://github.com/Velocidex/velociraptor", "versions": [{"status": "affected", "version": "0", "lessThan": "0.76.4, 0.75.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.\n\n\n\nHowever, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.</p><p>However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.</p>"}]}], "references": [{"url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "To remediate, you will need to\u00a0 upgrade your server https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade \u00a0to the latest version of your release:\n\n * For 0.76 releases, upgrade immediately to\u00a0 v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64 \n * For 0.75 releases, upgrade immediately to\u00a0 v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>To remediate, you will need to <a href=\"https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade\">upgrade your server</a> to the latest version of your release:</p><ul><li>For 0.76 releases, upgrade immediately to <a href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64\" target=\"_blank\">v0.76.4</a></li><li>For 0.75 releases, upgrade immediately to <a href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64\" target=\"_blank\">v0.75.9</a></li></ul>"}]}], "credits": [{"lang": "en", "value": "We thank Faisal Alhumaid ([email protected]) for reporting this issue responsibly.", "type": "finder"}], "source": {"advisory": "docs.velociraptor.app/announcements/advisories/cve-2026-6863/", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-06T15:26:49.596766Z", "id": "CVE-2026-6863", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-06T15:27:40.088Z"}}]}}