Skip to main content

Velociraptor CVE-2026-6863

| EUVDEUVD-2026-27844 MEDIUM
Incorrect Authorization (CWE-863)
2026-05-06 rapid7 GHSA-2v93-vp82-cjv8
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 06, 2026 - 17:02 EUVD
Analysis Generated
May 06, 2026 - 16:00 vuln.today

DescriptionCVE.org

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

AnalysisAI

Velociraptor versions prior to 0.76.4 allow authenticated users with reader role in the root organization to bypass cross-organization authorization controls via HTTP API GET requests, enabling them to read arbitrary files from other organizations regardless of their permissions in those target organizations. The vulnerability requires high privilege context (authenticated reader in root org) but has high confidentiality impact across organization boundaries. This is a horizontal privilege escalation affecting multi-tenant deployments where organizational isolation is a critical security boundary.

Technical ContextAI

Velociraptor is a digital forensics and incident response platform that supports multi-organization deployments with role-based access control. The vulnerability exists in the HTTP API authorization layer, specifically in how GET request handlers validate cross-organization access permissions. The root cause is improper access control checks (CWE-863: Incorrect Authorization) that fail to enforce organization boundaries for authenticated users. The flaw allows a reader-role user in the root organization to construct authenticated API requests that bypass authorization validation for resources belonging to subordinate organizations, despite the CVSS vector indicating PR:H (high privilege required), the actual impact is that the lowest authenticated role in the privileged root organization can access resources beyond its intended scope.

RemediationAI

Upgrade Velociraptor to version 0.76.4 or later to receive the vendor-released patch that corrects the cross-organization authorization bypass. For organizations unable to immediately upgrade, implement network-level mitigations by restricting HTTP API access to the Velociraptor server to trusted administrative networks only, and audit IAM assignments to ensure reader role in root organization is granted only to users with legitimate need for multi-organization access. Additionally, enable and monitor HTTP API audit logs to detect anomalous cross-organization access patterns from root organization reader accounts. Note that these compensating controls do not fully mitigate the vulnerability - they reduce exploitability surface by limiting authentication opportunities and detect-only suspicious activity - so patching remains the primary remediation path.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

CVE-2026-6863 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy