CVE-2026-7573: Velocidex Velociraptor has an authorization bypass vulnerability

May 6, 2026 (updated May 11, 2026)

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.

References

docs.velociraptor.app/announcements/advisories/cve-2026-7573
github.com/advisories/GHSA-3c93-g9g6-p5j4
nvd.nist.gov/vuln/detail/CVE-2026-7573

Code Behaviors & Features

Detect and mitigate CVE-2026-7573 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →