CVE-2026-7573 Overview
CVE-2026-7573 is an authorization bypass vulnerability [CWE-639] in the GetUserRoles gRPC API endpoint of Velocidex Velociraptor. The flaw affects all releases below version 0.76.5. Any authenticated low-privilege user can retrieve the complete Access Control List (ACL) policy, including roles and permissions, for any user across all organizations. Exploitation requires only supplying targeted Name and Org parameters in a network request. The issue exposes role assignments and permission mappings that should remain restricted to administrators.
Critical Impact
Authenticated low-privilege users can enumerate ACL policies for any user in any organization, exposing privileged role assignments to attackers preparing follow-on attacks.
Affected Products
- Velocidex Velociraptor versions below 0.76.5
- Velociraptor multi-organization deployments using gRPC API
- Velociraptor instances exposing the GetUserRoles endpoint to authenticated users
Discovery Timeline
- 2026-05-06 - CVE-2026-7573 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-7573
Vulnerability Analysis
The vulnerability resides in the GetUserRoles gRPC API endpoint exposed by Velociraptor. The endpoint accepts Name and Org parameters that identify the user and organization whose ACL policy should be returned. The handler does not verify that the calling principal possesses sufficient privileges to read the targeted user's roles. The handler also fails to scope the lookup to organizations the caller is a member of. Authenticated users at any privilege tier receive the full role and permission set for the requested target.
Velociraptor multi-organization deployments rely on per-organization ACL boundaries to separate tenants. This flaw breaks that boundary at the API layer. Attackers can map administrators, identify accounts with sensitive capabilities such as EXECVE or COLLECT_SERVER, and select high-value targets for credential or session attacks. The information disclosure is limited to ACL data, but the data is sufficient to plan privilege escalation against the same Velociraptor instance.
Root Cause
The root cause is a missing authorization check in the GetUserRoles handler. The endpoint trusts user-supplied Name and Org parameters without enforcing that the caller has read access to the target user object. This pattern matches CWE-639, Authorization Bypass Through User-Controlled Key.
Attack Vector
Exploitation occurs over the network against the Velociraptor gRPC API. The attacker authenticates with any valid low-privilege account, then sends a GetUserRoles request with the target username and organization identifier. The server returns the requested ACL policy without performing role checks on the caller.
No verified public exploit code is available. See the Velociraptor Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2026-7573
Indicators of Compromise
- Unusual volumes of GetUserRoles gRPC calls originating from non-administrative accounts
- GetUserRoles requests where the supplied Org parameter differs from the caller's assigned organization
- Sequential enumeration of usernames in API audit logs from a single low-privilege session
Detection Strategies
- Audit Velociraptor API logs for GetUserRoles invocations and correlate the calling user's role with the targeted Name and Org values
- Alert when a non-admin principal queries roles for accounts in organizations it does not belong to
- Baseline normal API call patterns per user role and flag deviations such as bulk user enumeration
Monitoring Recommendations
- Enable verbose gRPC API audit logging on Velociraptor frontend servers and forward logs to a central SIEM
- Track failed and successful authentication events alongside subsequent GetUserRoles calls to identify reconnaissance chains
- Monitor for new or unexpected low-privilege accounts performing administrative-style queries
How to Mitigate CVE-2026-7573
Immediate Actions Required
- Upgrade all Velociraptor frontend and server components to version 0.76.5 or later
- Review existing user accounts and remove unused low-privilege accounts that could be leveraged for authenticated access
- Rotate credentials for any accounts whose roles may have been disclosed through API enumeration
Patch Information
Velocidex has addressed the issue in Velociraptor 0.76.5. The fixed release adds the missing authorization check on the GetUserRoles gRPC endpoint. Refer to the Velociraptor Security Advisory for upgrade instructions and release notes.
Workarounds
- Restrict network access to the Velociraptor gRPC API to administrative subnets until the patch is applied
- Limit issuance of authenticated API credentials to trusted operators only
- Audit and reduce the membership of organizations in multi-tenant deployments to minimize exposure of high-privilege ACL data
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
