Vulnerability-Lookup

WID-SEC-W-2026-1141

Vulnerability from csaf_certbund - Published: 2026-04-15 22:00 - Updated: 2026-04-15 22:00

Summary

Rapid7 Velociraptor: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Rapid7 Velociraptor ist ein Tool zur Endpunkt-Erkennung und -Reaktion (EDR) und zur digitalen Forensik, das eine leistungsstarke Sammlung von Tools zur Überwachung und Analyse von Endpunkten bietet.

Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Rapid7 Velociraptor ausnutzen, um Sicherheitsmaßnahmen zu umgehen oder Daten zu manipulieren, was möglicherweise die Ausführung von beliebigem Code ermöglicht.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-5329

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Rapid7 Velociraptor <0.76.2 Rapid7 / Velociraptor		<0.76.2

CVE-2026-6290

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Rapid7 Velociraptor <0.76.2 Rapid7 / Velociraptor		<0.76.2
Rapid7 Velociraptor <0.76.3 Rapid7 / Velociraptor		<0.76.3

References

5 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://docs.velociraptor.app/announcements/advisories/	external
https://github.com/advisories/GHSA-3WQ5-X8P8-2V3P	external
https://github.com/advisories/GHSA-HV5G-26JG-PC45	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Rapid7 Velociraptor ist ein Tool zur Endpunkt-Erkennung und -Reaktion (EDR) und zur digitalen Forensik, das eine leistungsstarke Sammlung von Tools zur \u00dcberwachung und Analyse von Endpunkten bietet.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Rapid7 Velociraptor ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen oder Daten zu manipulieren, was m\u00f6glicherweise die Ausf\u00fchrung von beliebigem Code erm\u00f6glicht.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1141 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1141.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1141 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1141"
      },
      {
        "category": "external",
        "summary": "Velociraptor Security Advisories vom 2026-04-15",
        "url": "https://docs.velociraptor.app/announcements/advisories/"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-04-15",
        "url": "https://github.com/advisories/GHSA-3WQ5-X8P8-2V3P"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2026-04-15",
        "url": "https://github.com/advisories/GHSA-HV5G-26JG-PC45"
      }
    ],
    "source_lang": "en-US",
    "title": "Rapid7 Velociraptor: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-04-15T22:00:00.000+00:00",
      "generator": {
        "date": "2026-04-16T11:09:16.709+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1141",
      "initial_release_date": "2026-04-15T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-15T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c0.76.3",
                "product": {
                  "name": "Rapid7 Velociraptor \u003c0.76.3",
                  "product_id": "T052895"
                }
              },
              {
                "category": "product_version",
                "name": "0.76.3",
                "product": {
                  "name": "Rapid7 Velociraptor 0.76.3",
                  "product_id": "T052895-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rapid7:velociraptor:0.76.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c0.76.2",
                "product": {
                  "name": "Rapid7 Velociraptor \u003c0.76.2",
                  "product_id": "T052896"
                }
              },
              {
                "category": "product_version",
                "name": "0.76.2",
                "product": {
                  "name": "Rapid7 Velociraptor 0.76.2",
                  "product_id": "T052896-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rapid7:velociraptor:0.76.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Velociraptor"
          }
        ],
        "category": "vendor",
        "name": "Rapid7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-5329",
      "product_status": {
        "known_affected": [
          "T052896"
        ]
      },
      "release_date": "2026-04-15T22:00:00.000+00:00",
      "title": "CVE-2026-5329"
    },
    {
      "cve": "CVE-2026-6290",
      "product_status": {
        "known_affected": [
          "T052896",
          "T052895"
        ]
      },
      "release_date": "2026-04-15T22:00:00.000+00:00",
      "title": "CVE-2026-6290"
    }
  ]
}

CVE-2026-5329 (GCVE-0-2026-5329)

Vulnerability from cvelistv5 – Published: 2026-04-09 17:52 – Updated: 2026-04-16 17:55

Title

Rapid7 Velociraptor Improper Input Validation in Client Message Handler

Summary

Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.

Severity

8.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-20 - Improper input validation

Assigner

rapid7

References

1 reference

URL	Tags
https://docs.velociraptor.app/announcements/advis…

Impacted products

1 product

Vendor	Product	Version
Rapid7	Velociraptor	Affected: 0 , ≤ 0.76.3 (semver) Affected: 0 , ≤ 0.75.6 (semver) Affected: 0 , ≤ 0.74.6 (semver)

Credits

We thank Chris Au (@netero_1010) from NyxLab for identifying and reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5329",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T03:56:08.816Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Velociraptor",
          "repo": "https://github.com/Velocidex/velociraptor",
          "vendor": "Rapid7",
          "versions": [
            {
              "lessThanOrEqual": "0.76.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "0.75.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "0.74.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "We thank Chris Au (@netero_1010) from NyxLab for identifying and reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Rapid7 Velociraptor versions prior to 0.76.2\u0026nbsp;contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker  to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages\u0026nbsp;does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability."
            }
          ],
          "value": "Rapid7 Velociraptor versions prior to 0.76.2\u00a0contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker  to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages\u00a0does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-240",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-240 Resource Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper input validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T17:55:09.212Z",
        "orgId": "9974b330-7714-4307-a722-5648477acda7",
        "shortName": "rapid7"
      },
      "references": [
        {
          "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Rapid7 Velociraptor Improper Input Validation in Client Message Handler",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
    "assignerShortName": "rapid7",
    "cveId": "CVE-2026-5329",
    "datePublished": "2026-04-09T17:52:05.885Z",
    "dateReserved": "2026-04-01T13:33:23.515Z",
    "dateUpdated": "2026-04-16T17:55:09.212Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6290 (GCVE-0-2026-6290)

Vulnerability from cvelistv5 – Published: 2026-04-15 17:29 – Updated: 2026-04-16 03:55

Title

Velociraptor Query() Plugin Misapplies Permissions To Orgs

Summary

Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook.

Severity

8 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-863

Assigner

rapid7

References

1 reference

URL	Tags
https://docs.velociraptor.app/announcements/advis…

Impacted products

1 product

Vendor	Product	Version
Rapid7	Velociraptor	Affected: 0 , < 0.76.3, 0.75.8 (semver)

Credits

Faisal Alhumaid

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6290",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-15T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-16T03:55:38.112Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Velociraptor",
          "vendor": "Rapid7",
          "versions": [
            {
              "lessThan": "0.76.3, 0.75.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Faisal Alhumaid"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user\u0027s current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user\u0027s permissions in the other org are\u003cbr\u003ethe same as the permissions they have in the org containing the notebook."
            }
          ],
          "value": "Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user\u0027s current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user\u0027s permissions in the other org are\nthe same as the permissions they have in the org containing the notebook."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-114",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-114 Authentication Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T17:29:04.306Z",
        "orgId": "9974b330-7714-4307-a722-5648477acda7",
        "shortName": "rapid7"
      },
      "references": [
        {
          "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6290/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Velociraptor Query() Plugin Misapplies Permissions To Orgs",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
    "assignerShortName": "rapid7",
    "cveId": "CVE-2026-6290",
    "datePublished": "2026-04-15T17:29:04.306Z",
    "dateReserved": "2026-04-14T17:31:37.803Z",
    "dateUpdated": "2026-04-16T03:55:38.112Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1141

CVE-2026-5329 (GCVE-0-2026-5329)

CVE-2026-6290 (GCVE-0-2026-6290)

Tags

Sightings

Nomenclature