MEDIUM SeverityCVSS 3.15.0CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CVE-2026-7573

Last updated May 06, 2026 · Published May 06, 2026

Description

An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.

Affected products

1 listed

Velocidex:velociraptor

Mappings

CWE

CWE-639

CAPEC

CAPEC-37

Research

Insecure direct object references (IDOR): detection and preventionInsecure direct object references let users access other users' data by changing an ID. Enforce object-level…

Training

Authorisation and Access ControlRBAC, ABAC, and privilege escalation patterns in real applications.

CVE-2026-7573

Description

Affected products

Mappings

Related