Medium severity6.8NVD Advisory· Published May 6, 2026· Updated May 7, 2026

CVE-2026-6863

Description

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
www.velocidex.com/golang/velociraptorGo	< 0.76.4	0.76.4

Affected products

Velociraptor/Velociraptorinferred
Range: <0.76.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-2v93-vp82-cjv8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-6863ghsaADVISORY
docs.velociraptor.app/announcements/advisories/cve-2026-6863ghsaWEB
docs.velociraptor.app/announcements/advisories/cve-2026-6863/nvd

News mentions

Thus Spoke…The Gentlemen
Check Point Research · May 13, 2026
ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories
The Hacker News · Apr 30, 2026
PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks
The Hacker News · Apr 27, 2026
From Bulk Export to AI-ready Security Workflows: Introducing Rapid7’s Open-Source MCP Server and Agent Skill
Rapid7 Blog · Apr 21, 2026
EDR killers explained: Beyond the drivers
ESET WeLiveSecurity · Mar 19, 2026

cvss	0.442
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000