CVE-2026-6863 PUBLISHED

HTTP Filestore Endpoints Misapply Permissions Across Organizations

Assigner: rapid7
Reserved: 22.04.2026 Published: 06.05.2026 Updated: 06.05.2026

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 6.8

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Rapid7
Product	Velociraptor
Versions	Default: unaffected affected from 0 to 0.76.4, 0.75.9 (excl.)

Solutions

To remediate, you will need to upgrade your server https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade to the latest version of your release:

For 0.76 releases, upgrade immediately to v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64
For 0.75 releases, upgrade immediately to v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64

Credits

We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly. finder

References

https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/

Problem Types

CWE-863 Improper Authorization CWE

Impacts

CAPEC-114 Authentication Abuse