Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.
However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.
AnalysisAI
Velociraptor versions prior to 0.76.4 allow authenticated users with reader role in the root organization to bypass cross-organization authorization controls via HTTP API GET requests, enabling them to read arbitrary files from other organizations regardless of their permissions in those target organizations. The vulnerability requires high privilege context (authenticated reader in root org) but has high confidentiality impact across organization boundaries. This is a horizontal privilege escalation affecting multi-tenant deployments where organizational isolation is a critical security boundary.
Technical ContextAI
Velociraptor is a digital forensics and incident response platform that supports multi-organization deployments with role-based access control. The vulnerability exists in the HTTP API authorization layer, specifically in how GET request handlers validate cross-organization access permissions. The root cause is improper access control checks (CWE-863: Incorrect Authorization) that fail to enforce organization boundaries for authenticated users. The flaw allows a reader-role user in the root organization to construct authenticated API requests that bypass authorization validation for resources belonging to subordinate organizations, despite the CVSS vector indicating PR:H (high privilege required), the actual impact is that the lowest authenticated role in the privileged root organization can access resources beyond its intended scope.
RemediationAI
Upgrade Velociraptor to version 0.76.4 or later to receive the vendor-released patch that corrects the cross-organization authorization bypass. For organizations unable to immediately upgrade, implement network-level mitigations by restricting HTTP API access to the Velociraptor server to trusted administrative networks only, and audit IAM assignments to ensure reader role in root organization is granted only to users with legitimate need for multi-organization access. Additionally, enable and monitor HTTP API audit logs to detect anomalous cross-organization access patterns from root organization reader accounts. Note that these compensating controls do not fully mitigate the vulnerability - they reduce exploitability surface by limiting authentication opportunities and detect-only suspicious activity - so patching remains the primary remediation path.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27844
GHSA-2v93-vp82-cjv8