Vulnerability in Velociraptor Plugin Allows Unauthorized Access to Multiple Organizations
CVE-2026-6290

8HIGH

Key Information:

Vendor: Rapid7
Status: Velociraptor
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-6290?

Velociraptor versions before 0.76.3 exhibit a significant security issue within the query() plugin. This vulnerability allows authenticated users with access to one organization to execute VQL queries on other organizations without proper authorization. By leveraging the user's current ACL token, a user can potentially view and manipulate data in organizations where their permissions should not apply, leading to unauthorized access to sensitive information.

Affected Version(s)

Velociraptor 0 < 0.76.3, 0.75.8

References

https://docs.velociraptor.app/announcements/advisories/cv...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Faisal Alhumaid

CVE-2026-6290 Data

JSON

Rapid7

What is CVE-2026-6290?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit