CVE-2026-6863 Overview
CVE-2026-6863 is a cross-organization authorization bypass in the Velociraptor HTTP API affecting versions prior to 0.76.4. A user holding only the reader role in the root organization can issue a single authenticated HTTP GET request to read files belonging to any other organization. The bypass works even when the user has no explicit permissions in the target organization. The flaw is classified as [CWE-863: Incorrect Authorization]. The reverse direction is not affected: users with read access in a sub-organization cannot access the root organization or other sub-organizations.
Critical Impact
Authenticated users with the lowest privilege role (READ_RESULTS) in the root organization can read arbitrary files across all tenant organizations, breaking multi-tenant isolation.
Affected Products
- Velociraptor versions prior to 0.76.4
- Velociraptor HTTP API endpoint
- Multi-tenant Velociraptor deployments using sub-organizations
Discovery Timeline
- 2026-05-06 - CVE-2026-6863 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-6863
Vulnerability Analysis
Velociraptor supports a multi-tenant deployment model in which a root organization can host multiple sub-organizations. Each organization is expected to enforce isolation through role-based access control. Roles such as reader carry a minimal permission set, with READ_RESULTS being the lowest authenticated capability.
The HTTP API fails to validate the target organization context when serving file read requests. An authenticated user in the root organization can include parameters that direct the request toward another organization. The API processes the request using the caller's root-level role rather than verifying explicit permission in the target organization. The result is unauthorized cross-tenant file disclosure through a single GET request.
The asymmetry of the flaw indicates the issue is specific to how root-org authentication is propagated. Sub-organization users are correctly restricted, while root-org users inherit unintended cross-org access.
Root Cause
The root cause is missing authorization scoping on file read endpoints in the HTTP API. The server consults the caller's role within the root organization but does not re-evaluate authorization against the target organization referenced in the request. This is a classic [CWE-863] flaw where a security check is performed against the wrong principal-resource pair.
Attack Vector
Exploitation requires valid authenticated credentials with the reader role or higher in the root organization. The attacker issues an HTTP GET request to the Velociraptor API and references files owned by another organization. The server returns the file contents without enforcing per-org permissions. No user interaction or local access is required. Refer to the Velociraptor Security Advisory for endpoint-level technical details.
Detection Methods for CVE-2026-6863
Indicators of Compromise
- HTTP GET requests from low-privilege root-org accounts that reference org_id or organization parameters belonging to other tenants
- API access logs showing reader-role users retrieving files outside their assigned organization scope
- Spikes in READ_RESULTS operations originating from root-org reader accounts targeting cross-tenant resources
Detection Strategies
- Audit Velociraptor HTTP API access logs for any read operation in which the caller's primary organization differs from the target file's owning organization
- Correlate authenticated user role with the organization ID referenced in each API request to flag mismatches
- Baseline normal access patterns for reader-role accounts and alert on deviations involving foreign organization identifiers
Monitoring Recommendations
- Forward Velociraptor server logs to a central SIEM and apply rules that match cross-organization access by users with only READ_RESULTS
- Track historical reader-role activity and review any retroactive evidence of cross-tenant reads prior to upgrade
- Monitor authentication events for new or seldom-used reader accounts that suddenly enumerate organizations or files
How to Mitigate CVE-2026-6863
Immediate Actions Required
- Upgrade all Velociraptor server instances to version 0.76.4 or later
- Review existing role assignments in the root organization and remove unnecessary reader accounts
- Audit historical API logs for cross-organization read activity prior to patching
- Rotate any sensitive artifacts or credentials that may have been exposed through cross-tenant file reads
Patch Information
The fix is included in Velociraptor 0.76.4. The vendor advisory is published at the Velociraptor Security Advisory. Operators running multi-tenant deployments should treat upgrade as the primary remediation path, since no configuration change fully closes the authorization gap on unpatched versions.
Workarounds
- Restrict authenticated access to the Velociraptor HTTP API to trusted networks or VPN endpoints until the patch is applied
- Temporarily remove or downgrade unneeded root-organization reader accounts to limit the population of users able to exploit the bypass
- Segment multi-tenant data so that highly sensitive collections do not reside in environments shared with the root organization until upgrade is complete
# Verify Velociraptor server version and upgrade
velociraptor version
# Upgrade to fixed release
# Download the 0.76.4 (or later) binary from the official release channel
# and replace the running server binary, then restart the service
systemctl restart velociraptor_server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
