CVE-2026-6290

HIGH 8.0

Velociraptor Query() Plugin Misapplies Permissions To Orgs

CVSS Score

8.0

EPSS Score

0.0%

EPSS Percentile

0th

Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook.

CWE	CWE-863
Vendor	rapid7
Product	velociraptor
Published	Apr 15, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for rapid7 velociraptor

Be the first to know when new high vulnerabilities affecting rapid7 velociraptor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Rapid7 / Velociraptor

0 < 0.76.3, 0.75.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.velociraptor.app: https://docs.velociraptor.app/announcements/advisories/cve-2026-6290/

Credits

Faisal Alhumaid