Faisal Alhumaid

**Name of the Vulnerable Software and Affected Versions** Velociraptor versions prior to 0.76.4 **Description** A cross organization authorization bypass exists in the HTTP API. A user assigned the reader role in the root organization, which possesses only `READ RESULTS` permission, can perform an authenticated HTTP GET request to read files from other organizations, regardless of whether they have explicit permissions in the target organization. **Recommendations** Update to version 0.76.4 or later.

**Name of the Vulnerable Software and Affected Versions** Velociraptor versions prior to 0.76.4 **Description** A resource exhaustion issue exists in the server's agent control channel. A compromised or rogue client can crash the server by causing out-of-memory (OOM) conditions through the transmission of crafted messages via the standard client communication channel. **Recommendations** Update to version 0.76.4 or later.

**Name of the Vulnerable Software and Affected Versions** Velociraptor versions prior to 0.76.3 **Description** A flaw in the `query()` plugin allows an authenticated GUI user to access all organizations using their current ACL token. By utilizing the `query()` plugin within a notebook cell, a user with access to one organization can execute VQL queries on other organizations they are not authorized to access. In such cases, the user maintains the same permissions in the target organization as they have in the organization where the notebook is located. **Recommendations** Update to version 0.76.3 or later.