NuytsTech Security

CVE-2026-6863

by ·

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs – even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse – a user with read access to a sub org is unable to read from other org or the root org.

More information : https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/

Tags: