CVE-2026-6290: CWE-863 in Rapid7 Velociraptor
Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook.
AI Analysis
Technical Summary
Rapid7 Velociraptor versions before 0.76.3 contain an authorization bypass vulnerability (CWE-863) in the query() plugin. Authenticated users with access to one organization can leverage their ACL token to execute VQL queries on other organizations they should not have access to, inheriting their original permissions in those organizations. This flaw allows unauthorized cross-organization data access within the Velociraptor GUI environment. The vulnerability has a CVSS 3.1 score of 8.0, indicating high severity. No vendor-provided patch or official remediation level is currently documented, and the product is not a cloud service, so remediation depends on vendor updates.
Potential Impact
An authenticated user with legitimate access to one organization can access data and perform queries on other organizations within the Velociraptor environment without proper authorization checks. This can lead to unauthorized disclosure and potential manipulation of data across organizational boundaries, violating access control policies. The impact affects confidentiality, integrity, and availability as indicated by the CVSS vector. There are no known active exploits reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict GUI user access to trusted personnel only and monitor for unusual query activity. Avoid sharing ACL tokens across organizations. Follow Rapid7's official channels for updates on patches or workarounds.
CVE-2026-6290: CWE-863 in Rapid7 Velociraptor
Description
Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Rapid7 Velociraptor versions before 0.76.3 contain an authorization bypass vulnerability (CWE-863) in the query() plugin. Authenticated users with access to one organization can leverage their ACL token to execute VQL queries on other organizations they should not have access to, inheriting their original permissions in those organizations. This flaw allows unauthorized cross-organization data access within the Velociraptor GUI environment. The vulnerability has a CVSS 3.1 score of 8.0, indicating high severity. No vendor-provided patch or official remediation level is currently documented, and the product is not a cloud service, so remediation depends on vendor updates.
Potential Impact
An authenticated user with legitimate access to one organization can access data and perform queries on other organizations within the Velociraptor environment without proper authorization checks. This can lead to unauthorized disclosure and potential manipulation of data across organizational boundaries, violating access control policies. The impact affects confidentiality, integrity, and availability as indicated by the CVSS vector. There are no known active exploits reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict GUI user access to trusted personnel only and monitor for unusual query activity. Avoid sharing ACL tokens across organizations. Follow Rapid7's official channels for updates on patches or workarounds.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- rapid7
- Date Reserved
- 2026-04-14T17:31:37.803Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfcf1982d89c981f85412e
Added to database: 4/15/2026, 5:47:05 PM
Last enriched: 4/15/2026, 6:01:50 PM
Last updated: 4/15/2026, 7:06:39 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.