{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-6863","assignerOrgId":"9974b330-7714-4307-a722-5648477acda7","state":"PUBLISHED","assignerShortName":"rapid7","dateReserved":"2026-04-22T14:25:24.122Z","datePublished":"2026-05-06T14:50:55.631Z","dateUpdated":"2026-05-06T15:27:40.088Z"},"containers":{"cna":{"providerMetadata":{"orgId":"9974b330-7714-4307-a722-5648477acda7","shortName":"rapid7","dateUpdated":"2026-05-06T14:54:19.814Z"},"title":"HTTP Filestore Endpoints Misapply Permissions Across Organizations","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-863","description":"CWE-863 Improper Authorization","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-114","descriptions":[{"lang":"en","value":"CAPEC-114 Authentication Abuse"}]}],"affected":[{"vendor":"Rapid7","product":"Velociraptor","platforms":["Linux"],"repo":"https://github.com/Velocidex/velociraptor","versions":[{"status":"affected","version":"0","lessThan":"0.76.4, 0.75.9","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.\n\n\n\nHowever, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.","supportingMedia":[{"type":"text/html","base64":false,"value":"

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

"}]}],"references":[{"url":"https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":6.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"}}],"solutions":[{"lang":"en","value":"To remediate, you will need to  upgrade your server https://docs.velociraptor.app/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade  to the latest version of your release:\n\n * For 0.76 releases, upgrade immediately to  v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64 \n * For 0.75 releases, upgrade immediately to  v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64","supportingMedia":[{"type":"text/html","base64":false,"value":"

To remediate, you will need to upgrade your server to the latest version of your release:

"}]}],"credits":[{"lang":"en","value":"We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly.","type":"finder"}],"source":{"advisory":"docs.velociraptor.app/announcements/advisories/cve-2026-6863/","discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-06T15:26:49.596766Z","id":"CVE-2026-6863","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-06T15:27:40.088Z"}}]}}