CVE-2026-6863: Velocidex Velociraptor has an Incorrect Authorization issue

May 6, 2026 (updated May 11, 2026)

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

References

docs.velociraptor.app/announcements/advisories/cve-2026-6863
github.com/advisories/GHSA-2v93-vp82-cjv8
nvd.nist.gov/vuln/detail/CVE-2026-6863

Code Behaviors & Features

Detect and mitigate CVE-2026-6863 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →