What is CVE-2026-6290?

CVE-2026-6290 is a high-severity vulnerability in Rapid7 Velociraptor, classified under Incorrect Authorization. CVSS score: 8.0/10. Published 2026-04-15.

How severe is CVE-2026-6290?

High severity. CVSS v3 base score is 8.0 out of 10.

Auth bypass in Rapid7 Velociraptor

CVE-2026-6290

Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin…

Vulnerability class: Broken Access Control

EPSS: 0.000 (14.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.0 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Rapid7 Velociraptor — versions 0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

docs.velociraptor.app/announcements/advisories/cve-2026-6290/

Frequently asked questions

What is CVE-2026-6290?: CVE-2026-6290 is a high-severity vulnerability in Rapid7 Velociraptor, classified under Incorrect Authorization. CVSS score: 8.0/10. Published 2026-04-15.
How severe is CVE-2026-6290?: High severity. CVSS v3 base score is 8.0 out of 10.