logo

Database

Authentication mechanism absence or evasion In www.velocidex.com/golang/velociraptor

Description

Velocidex Velociraptor has an Incorrect Authorization issue Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org.

However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-68632. NVD-2026-68633. OSV-2026-68634. GCVE-2026-6863

References

1. https://docs.velociraptor.app/announcements/advisories/cve-2026-6863

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.