Velociraptor Vulnerability Exposes Multi-Org Data

/HIGH
SCW vulnerabilitycvehigh-severitycwe-863
Velociraptor Vulnerability Exposes Multi-Org Data

A significant vulnerability, tracked as CVE-2026-6290, has been identified in Velociraptor versions prior to 0.76.3. According to the National Vulnerability Database, this flaw resides within the query() plugin, allowing an authenticated GUI user to bypass intended organizational access controls.

Specifically, a user with legitimate access to one organization can leverage the query() plugin in a notebook cell to execute VQL queries against other organizations to which they do not explicitly have permission. The National Vulnerability Database reports that the user’s permissions in these unauthorized organizations mirror their permissions in the initial, legitimate organization. This is a classic case of improper access control, leading to a high-severity CVSS score of 8.0.

Related ATT&CK Techniques

T1078.004 Cloud Account Persistence T1078 Valid Accounts Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

high T1078.004 Initial Access

Credential Abuse from Breached Vendor — CVE-2026-6290

✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

3 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6290 Privilege Escalation Velociraptor versions prior to 0.76.3
CVE-2026-6290 Privilege Escalation Vulnerable component: query() plugin
CVE-2026-6290 Privilege Escalation Attack vector: authenticated GUI user using query() plugin in a notebook cell to run VQL queries on other orgs

By Shimi's Cyber World Editorial

Related Posts

Chrome V8 Type Confusion: Remote OOB Access Risk

CVE-2026-6363 — Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via...

vulnerabilityCVEhigh-severitycwe-843
/HIGH /⚑ 2 IOCs

Chrome 'Use-After-Free' Bug: High Severity RCE Risk

CVE-2026-6360 — Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted...

vulnerabilityCVEhigh-severityuse-after-freecwe-416
/HIGH /⚑ 3 IOCs

Chrome Video Bug: Renderer Compromise Leads to High-Severity RCE

CVE-2026-6359 — Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process...

vulnerabilityCVEhigh-severityuse-after-freecwe-416
/HIGH /⚑ 3 IOCs