External risk intelligence

Velociraptor allows authenticated users to access data in other organizations.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-6290

Velociraptor has a flaw where an internal attacker with access to one organization can run unauthorized queries to access data in other restricted areas. This allows unauthorized access to sensitive information and compromises the security of segregated business environments.

2Halo Surface Signal

Rapid7 Velociraptor

before 0.76.3

External exposure likelihood

Halo Surface Signal score for CVE-2026-6290

The vulnerability requires authenticated access to the Velociraptor GUI. As a digital forensics and incident response platform, Velociraptor is typically deployed within internal corporate networks or isolated security segments. Public internet exposure is uncommon for this type of management and monitoring tool, which is usually restricted to authorized administrative users.

Horizon Alert

Summary of the vulnerability and why it matters

This Velociraptor vulnerability allows an authenticated user to access data across different organizations they shouldn't have permissions for. This is critical because it bypasses intended data segregation within the platform.

Bypasses access controls for sensitive data.
Affects authenticated GUI users.
Expands unauthorized data visibility.

Attack Path

How an attacker could exploit the issue

An authenticated attacker who has access to one Velociraptor organization can abuse the `query()` plugin to execute VQL queries on other organizations. This allows them to read, modify, or delete data across different organizational boundaries, effectively bypassing access controls within the application. The attacker's privileges in the target orgs will match their existing privileges in their current org.

Requires authenticated GUI access.
Targets the `query()` plugin.
Exploits ACL token for cross-org access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Velociraptor, allowing authenticated users to access data across different organizations, presents a moderate threat. While it requires existing access, the ability to escalate privileges within the application itself is a concern for environments using Velociraptor for sensitive data collection. The threat landscape is currently unclear due to a lack of public exploit information.

Requires authenticated user access.
No public exploit details observed.
Limited external exposure likely.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Velociraptor to version 0.76.3 or later to fix a critical vulnerability allowing authenticated users to bypass organizational access controls. If immediate patching is not feasible, implement strict access controls and monitor for unauthorized queries across all organizations.

Update Velociraptor to 0.76.3+.
Monitor for cross-org query activity.
Restrict GUI user permissions.

Frequently asked questions

What is Velociraptor and what is it used for?

Velociraptor is a digital forensics and incident response platform. It's used by technical readers to collect and analyze data from endpoints, helping to investigate security incidents and understand system activity.

What is the weakness in Velociraptor CVE-2026-6290?

CVE-2026-6290 is a bypass vulnerability. It allows an authenticated user in one Velociraptor organization to run queries and access data in other organizations, even if they don't normally have permissions there.

How can an attacker trigger this Velociraptor vulnerability?

An attacker must first be authenticated and have access to the Velociraptor GUI within one organization. They can then use the `query()` plugin in a notebook cell to execute VQL queries against other organizations, bypassing normal access controls.

Who should be concerned about this Velociraptor CVE?

Organizations using Velociraptor should be concerned. While the platform is typically internal, the Halo Surface Signal indicates this vulnerability is unlikely to be exposed to the public internet because it requires authenticated access. However, internal unauthorized access is still a risk.

What is the first step to address CVE-2026-6290 in Velociraptor?

The immediate step is to update Velociraptor to version 0.76.3 or later. If immediate updating isn't possible, review and enforce strict access controls for GUI users and monitor for unusual cross-organization query activity.

References

docs.velociraptor.app/announcements/advisories/cve-2026-6290/

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.