CVE-2026-6863

MEDIUM 6.8

HTTP Filestore Endpoints Misapply Permissions Across Organizations

CVSS Score

6.8

EPSS Score

0.0%

EPSS Percentile

0th

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

CWE	CWE-863
Vendor	rapid7
Product	velociraptor
Published	May 6, 2026
Last Updated	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for rapid7 velociraptor

Be the first to know when new medium vulnerabilities affecting rapid7 velociraptor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Rapid7 / Velociraptor

0 < 0.76.4, 0.75.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.velociraptor.app: https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/

Credits

We thank Faisal Alhumaid ([email protected]) for reporting this issue responsibly.