← Back
2026-05-06 14:50CVE-2026-6863rapid7
PUBLISHED5.2CWE-863

HTTP Filestore Endpoints Misapply Permissions Across Organizations

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

Problem type

Affected products

Rapid7

Velociraptor

< 0.76.4, 0.75.9 - AFFECTED

References

docs.velociraptor.app

https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/

GitHub Security Advisories

GHSA-2v93-vp82-cjv8

Velocidex Velociraptor has an Incorrect Authorization issue

https://github.com/advisories/GHSA-2v93-vp82-cjv8

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-6863

docs.velociraptor.app

https://docs.velociraptor.app/announcements/advisories/cve-2026-6863

github.com

https://github.com/advisories/GHSA-2v93-vp82-cjv8

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-6863
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-6863",
    "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
    "assignerShortName": "rapid7",
    "dateUpdated": "2026-05-06T15:27:40.088Z",
    "dateReserved": "2026-04-22T14:25:24.122Z",
    "datePublished": "2026-05-06T14:50:55.631Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "9974b330-7714-4307-a722-5648477acda7",
        "shortName": "rapid7",
        "dateUpdated": "2026-05-06T14:54:19.814Z"
      },
      "title": "HTTP Filestore Endpoints Misapply Permissions Across Organizations",
      "descriptions": [
        {
          "lang": "en",
          "value": "Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.\n\n\n\nHowever, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.</p><p>However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.</p>"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Rapid7",
          "product": "Velociraptor",
          "platforms": [
            "Linux"
          ],
          "repo": "https://github.com/Velocidex/velociraptor",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "0.76.4, 0.75.9"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-863 Improper Authorization",
              "cweId": "CWE-863",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-114",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-114 Authentication Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "HIGH",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "To remediate, you will need to  upgrade your server https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade  to the latest version of your release:\n\n  *  For 0.76 releases, upgrade immediately to  v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64 \n  *  For 0.75 releases, upgrade immediately to  v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "<p>To remediate, you will need to&nbsp;<a href=\"https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade\">upgrade your server</a>&nbsp;to the latest version of your release:</p><ul><li>For 0.76 releases, upgrade immediately to&nbsp;<a href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64\" target=\"_blank\">v0.76.4</a></li><li>For 0.75 releases, upgrade immediately to&nbsp;<a href=\"https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64\" target=\"_blank\">v0.75.9</a></li></ul>"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly.",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-05-06T15:27:40.088Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}