CVE-2026-6863 MEDIUM

CVE-2026-6863: HTTP Filestore Endpoints Misapply Permissions Across Organizations

Vendor Rapid7
Product Velociraptor
Weakness CWE-863 · Incorrect authorization
Published May 6, 2026
Last update May 6, 2026

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 6, 2026 Record updated