CVE-2026-7573 PUBLISHED

GetUserRoles API endpoint allows any authenticated user to enumerate ACL policies across all organizations

Assigner: rapid7
Reserved: 01.05.2026 Published: 06.05.2026 Updated: 06.05.2026

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CVSS Score: 5

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Velocidex
Product	velociraptor
Versions	Default: unaffected affected from 0 to 0.76.5 (excl.)

Credits

michaelddickenson finder

References

https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE

Impacts

CAPEC-37 Retrieve Embedded Sensitive Data