CVE-2026-6863 HTTP Filestore Endpoints Misapply Permissions Across Organizations

Publishedon 2026-04-28

CVSS · MEDIUM · 6.8 ⁄10 · CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Scoring scenario: GENERAL
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

Problem:

CWE-863: Improper Authorization CWE-863

Impact:

CAPEC-114: Authentication Abuse CAPEC-114

Product Status:

Product Affected
Rapid7 Velociraptor on Linux
source repo
Default status is unaffected 		before 0.76.4
before 0.75.9

Credits:

We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly.

Timeline

  • 2026-04-19 Initial report by Faisal Alhumaid
  • 2026-04-28 Advisory published and patch distributed

To remediate, you will need to upgrade your server to the latest version of your release:

  • For 0.76 releases, upgrade immediately to v0.76.4
  • For 0.75 releases, upgrade immediately to v0.75.9