{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6290/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-6290"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["velociraptor","authentication bypass","privilege escalation","cve-2026-6290"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eVelociraptor, a powerful open-source endpoint detection and response (EDR) framework, is vulnerable to an authentication bypass issue affecting versions prior to 0.76.3. The vulnerability, identified as CVE-2026-6290, resides within the \u003ccode\u003equery()\u003c/code\u003e plugin.  A user with valid credentials and access to one organization within Velociraptor can leverage the \u003ccode\u003equery()\u003c/code\u003e plugin from a notebook cell to execute VQL (Velociraptor Query Language) queries against other organizations, irrespective of their explicit permissions in those other organizations. This occurs because the plugin improperly uses the user\u0026rsquo;s current ACL token for all queries, effectively granting the user the same level of access across all organizations as they have in their primary organization. This vulnerability allows for potentially broad data exfiltration and privilege escalation within a Velociraptor deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for a user account within one organization in a vulnerable Velociraptor instance (version \u0026lt; 0.76.3).\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Velociraptor GUI.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new notebook or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eWithin a notebook cell, the attacker uses the \u003ccode\u003equery()\u003c/code\u003e plugin with a crafted VQL query designed to access data from a different organization. For example, using \u003ccode\u003eSELECT * FROM org_id='TARGET_ORG'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Velociraptor server processes the query using the attacker\u0026rsquo;s existing ACL token, bypassing the organization\u0026rsquo;s access controls.\u003c/li\u003e\n\u003cli\u003eThe server returns data from the target organization to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the retrieved data, potentially gaining access to sensitive information or identifying further targets within the compromised Velociraptor instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the information gathered to perform actions in other organizations, based on the permissions of their initial account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6290 could allow an attacker to gain unauthorized access to sensitive data stored within different organizations managed by the same Velociraptor instance.  This could lead to the exfiltration of confidential information, potential privilege escalation within targeted organizations, and a compromise of the overall security posture of the affected environment. The severity is compounded by the fact that it\u0026rsquo;s a logic error within a security product, making it harder to detect and remediate without patching. The CVSS v3.1 score is 8.0 HIGH, indicating a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all Velociraptor installations to version 0.76.3 or later to patch CVE-2026-6290.\u003c/li\u003e\n\u003cli\u003ePrioritize reviewing Velociraptor user accounts and their assigned organizational access to identify potentially compromised accounts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect anomalous use of the \u003ccode\u003equery()\u003c/code\u003e plugin that targets different organizations than the user\u0026rsquo;s primary organization.\u003c/li\u003e\n\u003cli\u003eMonitor Velociraptor server logs for any unexpected access patterns or data retrieval attempts originating from the \u003ccode\u003equery()\u003c/code\u003e plugin.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T18:17:25Z","date_published":"2026-04-15T18:17:25Z","id":"/briefs/2026-04-velociraptor-auth-bypass/","summary":"Velociraptor versions prior to 0.76.3 contain an authentication bypass vulnerability in the query() plugin, allowing authenticated users to access data from other organizations within the Velociraptor deployment, potentially leading to unauthorized data access and privilege escalation.","title":"Velociraptor Authentication Bypass via query() Plugin","url":"https://feed.craftedsignal.io/briefs/2026-04-velociraptor-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6290","version":"https://jsonfeed.org/version/1.1"}