logo

Database

Authentication mechanism absence or evasion In www.velocidex.com/golang/velociraptor

Description

Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-62902. NVD-2026-62903. OSV-2026-62904. GCVE-2026-6290

References

1. https://docs.velociraptor.app/announcements/advisories/cve-2026-6290

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.