Added 0.76.3 release to address CVE 2026-6290 (Velocidex#1232)

Author: scudette

.wordlist.txt

@@ -2088,3 +2088,7 @@ subsetted
 unannotated
 
 addClass
+
+Reindex
+reindex
+reindexed

content/_index.md

@@ -40,13 +40,18 @@ navs:
 
 {{% navs %}}
 
-{{% notice warning "CVE-2026-5329 published on 2026-04-08" %}}
 
-Velociraptor versions before 0.76.2 improperly validated input in
-client message handler. This could lead to remote code execution on
-the server.
+{{% notice warning "Current Security Advisories" %}}
 
-Read the [Full announcement](/announcements/advisories/cve-2026-5329/) and upgrade immediately.
+* [Velociraptor versions before
+  0.76.3](/announcements/advisories/cve-2026-6290/) contain a
+  vulnerability in the query() plugin which allows access to all orgs
+  with the user's current ACL token.
+
+* [Velociraptor versions before
+  0.76.2](/announcements/advisories/cve-2026-5329/) improperly
+  validated input in client message handler. This could lead to remote
+  code execution on the server.
 
 {{% /notice %}}
 

content/announcements/advisories/CVE-2026-5329/CVE-2026-5329.html

@@ -76,13 +76,17 @@
       Velociraptor server.
     </p>
     <p>
-      Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.
+      Rapid7 Hosted Velociraptor instances are not affected by this
+      vulnerability.
     </p>
   </div>
   <div id="configs">
     <h2>Required configuration for exposure:
     </h2>
-    <p>This vulnerability only affects the Velociraptor server, which is typically running on a Linux system </p>
+    <p>
+      This vulnerability only affects the Velociraptor server, which
+      is typically running on a Linux system.
+    </p>
   </div>
 
   <div id="problem">
@@ -139,7 +143,7 @@ <h2>Product Status:
             </span>
           </td>
           <td>
-            before 0.76.2
+            before 0.76.3
             <br> before 0.75.7
           </td>
         </tr>
@@ -150,7 +154,11 @@ <h2>Product Status:
   <div class="rnd pad sec vgap" id="credits">
     <h2>Credits:
     </h2>
-    <p>We thank Chris Au from NyxLab for identifying and reporting this issue responsibly
+    <p>We thank Chris Au from NyxLab for identifying and reporting
+    this issue responsibly
+    </p>
+    <p>We thank [@s4vvi](https://s4vvi.com/) for reporting the
+    deficiency with the patch on master/minion systems.
     </p>
   </div>
   <div id="references">

content/announcements/advisories/CVE-2026-5329/_index.md

@@ -14,6 +14,14 @@ no_children: true
 
 {{< include-html "CVE-2026-5329.html" >}}
 
+{{% notice warning "Master/Minion systems" %}}
+
+A shortcoming was reported in the 0.76.2 patch which did not properly
+account for master/minion systems. If you are running this
+configuration, please upgrade to version 0.76.3.
+
+{{% /notice %}}
+
 ## Recommendation
 
 This is a critical vulnerability, which can not be mitigated through

content/announcements/advisories/CVE-2026-6290/CVE-2026-6290.html

@@ -0,0 +1,151 @@
+<div class="cve">
+  <p>
+    <span>Published
+    </span>on 2026-04-08
+  </p>
+  <p>
+  </p>
+  <details class="popup">
+    <summary class="lbl rnd sec CVSS MEDIUM">CVSS · HIGH · 8.0
+      <sub>⁄10
+      </sub>
+      <span style="font-size:0px;opacity:0"> · CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
+      </span>
+    </summary>
+    <div class="pop wht rnd shd pad bor">
+      <span>Scoring scenario:
+      </span>GENERAL
+      <div>attackVector:
+        <b>NETWORK
+        </b>
+      </div>
+      <div>attackComplexity:
+        <b>HIGH
+        </b>
+      </div>
+      <div>privilegesRequired:
+        <b>HIGH
+        </b>
+      </div>
+      <div>userInteraction:
+        <b>NONE
+        </b>
+      </div>
+      <div>scope:
+        <b>CHANGED
+        </b>
+      </div>
+      <div>confidentialityImpact:
+        <b>HIGH
+        </b>
+      </div>
+      <div>integrityImpact:
+        <b>HIGH
+        </b>
+      </div>
+      <div>availabilityImpact:
+        <b>HIGH
+        </b>
+      </div>
+      <div>
+        <a class="vgi-dial" href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" target="_blank">Open CVSS Calc
+        </a>
+      </div>
+    </div>
+  </details>
+  <p>
+  </p>
+  <div id="description">
+    <p>
+      Velociraptor versions prior to 0.76.3 contain a vulnerability in
+      the query() plugin which allows access to all orgs with the
+      user's current ACL token.
+    <p>
+      This allows an authenticated GUI user with access in one org, to
+      use the query() plugin, in a notebook cell, to run VQL queries
+      on other orgs which they may not have access to. The user's
+      permissions in the other org are the same as the permissions
+      they have in the org containing the notebook.
+    </p>
+  </div>
+  <div id="problem">
+    <h2>Problem:
+    </h2>
+    <p>CWE-863: Incorrect Authorization
+      <a href="https://cwe.mitre.org/data/definitions/863" target="_blank">
+        <small>CWE-863</small>
+      </a>
+      <br>
+    </p>
+  </div>
+  <div id="impact">
+    <h2>Impact:
+    </h2>
+    <p>CAPEC-114: Authentication Abuse
+      <a href="https://capec.mitre.org/data/definitions/114.html" target="_blank">
+        <small>CAPEC-114
+        </small>
+      </a>
+      <br>
+    </p>
+  </div>
+  <div id="status">
+    <h2>Product Status:
+    </h2>
+    <table class="striped">
+      <colgroup>
+        <col>
+        <col class="affectedCol">
+      </colgroup>
+      <thead>
+        <tr>
+          <th>Product
+          </th>
+          <th>Affected
+          </th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr>
+          <td rowspan="1">
+            <b class="vgi-package">Rapid7 Velociraptor
+            </b>
+            <i> on
+            </i>
+            <span class="vgi-stack">Linux
+            </span>
+            <br>
+            <a class="vgi-ext" href="https://github.com/Velocidex/velociraptor">source repo
+            </a>
+            <br>
+            <span class="vgi-impact">Default status is unaffected
+            </span>
+          </td>
+          <td>
+            before 0.76.3
+            <br> before 0.75.8
+          </td>
+        </tr>
+      </tbody>
+    </table>
+    <br style="font-size:0;">
+  </div>
+  <div class="rnd pad sec vgap" id="credits">
+    <h2>Credits:
+    </h2>
+    <p>We thank Faisal Alhumaid for reporting this issue responsibly.
+    </p>
+  </div>
+  <div id="references">
+    <h2>References
+    </h2>
+    <p>
+    </p>
+    <div>
+      <a href="https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/">docs.velociraptor.app/announcements/advisories/cve-2026-5329/
+      </a>
+    </div>
+    <p>
+    </p>
+  </div>
+</div>

content/announcements/advisories/CVE-2026-6290/_index.md

@@ -0,0 +1,45 @@
+---
+menutitle: "CVE-2026-6290"
+title: "CVE-2026-6290 Velociraptor query() plugin misapplies permissions to orgs"
+description: |
+    Velociraptor versions prior to 0.76.3 contain a vulnerability in the
+    query plugin which allows access to all orgs with the user's current ACL token.
+
+weight: 9
+date: 2026-04-07T00:00:00Z
+no_edit: true
+noTitle: false
+no_children: true
+---
+
+{{< include-html "CVE-2026-6290.html" >}}
+
+## Required configuration for exposure:
+
+This issue affects deployments relying on org separation to contain
+untrusted users to a subset of orgs.
+
+Most Velociraptor users use multiple Orgs to separate different
+environments but have the same group of trusted users with access to
+all orgs. In this case, this vulnerability does not apply since all
+users have the same permissions on all orgs.
+
+## Recommendation
+
+You can disable the query() plugin by [adding the following
+YAML](/docs/deployment/references/#security.denied_plugins) to your
+`server.config.yaml`
+
+```yaml
+security:
+  denied_plugins:
+    - query
+```
+
+
+To remediate, you will need to [upgrade your
+server](/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade)
+to the latest version of your release:
+
+* For 0.76 releases, upgrade immediately to [v0.76.3](https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.3-linux-amd64)
+* For 0.75 releases, upgrade immediately to [v0.75.8](https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.8-linux-amd64)

content/docs/deployment/orgs/_index.md

@@ -121,6 +121,18 @@ Once the new org is created you can assign users to the Org using the
 [Adding a New User]({{% ref
 "/docs/deployment/security/#adding-a-new-user" %}}) procedure.
 
+#### Org Security
+
+Although users are separated from accessing different orgs using org
+specific ACLs, in most Velociraptor deployments, this is a soft
+separation. There are many available ways in which a malicious user
+may access an org that they have no ACLs to. Generally we recommend
+not providing untrusted users access to the Velociraptor GUI at all,
+even if they should be restricted to a small set of orgs.
+
+See this for a full discussion of [Org
+Security](/docs/deployment/security/#managing-org-access).
+
 ### Preparing client deployment for the new Org
 
 Clients are configured to connect to one org only. While the

content/docs/deployment/security/_index.md

@@ -823,3 +823,79 @@ by the user that initiates the collection.
 
 
 {{% /notice %}}
+
+
+## Managing org access
+
+Velociraptor provides ACL separation to users based on an org (or
+tenant) model. This means the same user may have different ACLs in
+different orgs - they may only have read access in one org and full
+admin access in another org.
+
+While this is convenient, it is not enough to provide complete
+separation to untrusted users.
+
+If an untrusted user has access to one org but does not have access to
+another, there are multiple ways which allow the user to read/modify
+data in the other org:
+
+### Shelling out
+
+By default, users have access to the `execve()` plugin providing they
+have the `EXECVE` permission (normally given to administrators). This
+allows an administrator in one org to run arbitrary code on the
+server - which may allow them to just read the file store of another
+org.
+
+You may disable the `execve()` plugin using the [configuration
+file](/docs/deployment/references/#security.denied_plugins)
+
+```yaml
+security:
+  denied_plugins:
+      - execve
+```
+
+### Accessing files directly
+
+Velociraptor org data are stored on disk in separate directories. This
+means that users that have access to the `file` accessor can simply
+read the other org's data bypassing the ACLs.
+
+For example, the following query will read all orgs datastore files:
+
+```vql
+SELECT * FROM glob(globs="/opt/velociraptor/orgs/**")
+```
+
+In recent versions of Velociraptor, it is possible to restrict the
+operation of the `file` accessor using the [configuration
+file](/docs/deployment/references/#security.denied_file_accessor_prefix). The
+following stops direct file access to the `/opt/velociraptor/`
+directory. On Linux many files can be read using the `/proc/`
+filesystem too. A more restrictive deployment will have more paths
+here.
+
+```yaml
+security:
+  denied_file_accessor_prefix:
+      - /opt/velociraptor/
+      - /etc/
+      - /proc/
+```
+
+Other accessors may provide access to different orgs in some
+situations. For example when running the server as root, the `ext4` or
+`ntfs` accessors may allow direct reading of the filesystem
+inode. Usually we recommend running the server on Linux as a non-root
+user to prevent these issues.
+
+In summary, although it is possible to restrict user access to
+different orgs this should be considered best effort. Much thought is
+required to truly isolate an untrusted user to some orgs, preventing
+access to other orgs. The recommendation is to avoid giving untrusted
+and potentially malicious users to the Velociraptor GUI at all.
+
+If you require true data isolation between orgs, we recommend to spin
+up a separate Velociraptor instance (Virtual Machine or container) for
+each unique deployment.