Add release 0.76.6 (Velocidex#1269)

Author: scudette

Makefile

@@ -49,3 +49,6 @@ comparisons:
 
 descriptions:
 	python3 scripts/descriptions.py content/
+
+vale:
+	vale --output line .

content/announcements/advisories/CVE-2026-6863/_index.md

@@ -59,7 +59,7 @@ no_children: true
         </b>
       </div>
       <div>availabilityImpact:
-        <b>HIGH
+        <b>NONE
         </b>
       </div>
       <div>

content/announcements/advisories/CVE-2026-8795/_index.md

@@ -0,0 +1,194 @@
+---
+menutitle: "CVE-2026-8795"
+title: "CVE-2026-8795 YAML Injection Leading to Potential Analyst Targeting"
+description: |
+    A YAML injection vulnerability in the
+    Windows.Collectors.Remapping artifact allows an attacker who
+    supplies a crafted collection ZIP to execute arbitrary VQL on the
+    analyst's machine.
+weight: -10
+date: 2026-05-01T00:00:00Z
+no_edit: true
+noTitle: false
+no_children: true
+---
+
+<div class="cve">
+  <p>
+    <span>Published
+    </span>on 2026-06-04
+  </p>
+  <p>
+  </p>
+  <details class="popup">
+    <summary class="lbl rnd sec CVSS HIGH">CVSS · HIGH · 7.8
+      <sub>⁄10
+      </sub>
+      <span style="font-size:0px;opacity:0"> · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+      </span>
+    </summary>
+    <div class="pop wht rnd shd pad bor">
+      <span>Scoring scenario:
+      </span>GENERAL
+      <div>attackVector:
+        <b>LOCAL
+        </b>
+      </div>
+      <div>attackComplexity:
+        <b>LOW
+        </b>
+      </div>
+      <div>privilegesRequired:
+        <b>NONE
+        </b>
+      </div>
+      <div>userInteraction:
+        <b>REQUIRED
+        </b>
+      </div>
+      <div>scope:
+        <b>UNCHANGED
+        </b>
+      </div>
+      <div>confidentialityImpact:
+        <b>HIGH
+        </b>
+      </div>
+      <div>integrityImpact:
+        <b>HIGH
+        </b>
+      </div>
+      <div>availabilityImpact:
+        <b>HIGH
+        </b>
+      </div>
+      <div>
+        <a class="vgi-dial" href="https://www.first.org/cvss/calculator/3.0#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" target="_blank">Open CVSS Calc
+        </a>
+      </div>
+    </div>
+  </details>
+  <p>
+  </p>
+  <div id="description">
+    <p>
+    A YAML injection vulnerability in the Windows.Collectors.Remapping
+    artifact allows an attacker who supplies a crafted
+    collection ZIP to execute arbitrary VQL on the analyst's
+    machine. The hostname field in client_info.json inside the ZIP is
+    inserted into a YAML template via Go's text/template without any
+    YAML escaping. By embedding a literal " followed by newlines in
+    the hostname, an attacker breaks out of the YAML quoted string and
+    injects a new mount remapping entry whose scope field contains VQL
+    that executes with NullACLManager (all permissions granted, no
+    sandboxing) when the analyst applies the generated remapping file
+    with --remap.
+    </p>
+  </div>
+  <div id="problem">
+    <h2>Problem:
+    </h2>
+    <p>CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
+      <a href="https://cwe.mitre.org/data/definitions/74" target="_blank">
+        <small>CWE-74</small>
+      </a>
+      <br>
+    </p>
+    <p>CWE-94  Improper Control of Generation of Code ('Code Injection')
+      <a href="https://cwe.mitre.org/data/definitions/94" target="_blank">
+        <small>CWE-94</small>
+      </a>
+      <br>
+    </p>
+    <p>CWE-116 Improper Encoding or Escaping of Output
+      <a href="https://cwe.mitre.org/data/definitions/116" target="_blank">
+        <small>CWE-116</small>
+      </a>
+      <br>
+    </p>
+
+  </div>
+  <div id="impact">
+    <h2>Impact:
+    </h2>
+    <p>CAPEC-549: Local Execution of Code
+      <a href="https://capec.mitre.org/data/definitions/549.html" target="_blank">
+        <small>CAPEC-549
+        </small>
+      </a>
+      <br>
+    </p>
+  </div>
+  <div id="status">
+    <h2>Product Status:
+    </h2>
+    <table class="striped">
+      <colgroup>
+        <col>
+        <col class="affectedCol">
+      </colgroup>
+      <thead>
+        <tr>
+          <th>Product
+          </th>
+          <th>Affected
+          </th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr>
+          <td rowspan="1">
+            <b class="vgi-package">Rapid7 Velociraptor
+            </b>
+            <i> on
+            </i>
+            <span class="vgi-stack">Linux
+            </span>
+            <br>
+            <a class="vgi-ext" href="https://github.com/Velocidex/velociraptor">source repo
+            </a>
+            <br>
+            <span class="vgi-impact">Default status is unaffected
+            </span>
+          </td>
+          <td>
+            before 0.76.6
+          </td>
+        </tr>
+      </tbody>
+    </table>
+    <br style="font-size:0;">
+  </div>
+  <div class="rnd pad sec vgap" id="credits">
+    <h2>Credits:
+    </h2>
+    <p>We thank <b>Artificial Intelligence</b> for identifying and reporting this issue responsibly
+    </p>
+  </div>
+  <div id="references">
+    <h2>References
+    </h2>
+    <p>
+    </p>
+    <div>
+      <a href="https://docs.velociraptor.app/announcements/advisories/cve-2026-8795/">docs.velociraptor.app/announcements/advisories/cve-2026-8795/
+      </a>
+    </div>
+    <p>
+    </p>
+  </div>
+</div>
+
+## Required configuration for exposure
+
+This vulnerability only affects users who use
+[remapping](/docs/forensic/deaddisk/creating_running/) to directly
+operate on offline collections. This usage typically uses the
+`Windows.Collectors.Remapping` artifact to generate a remapping file
+and then subsequently uses that remapping file to collect artifacts on
+the offline collector file directly. This is a very niche use case and
+a very common processing pipeline.
+
+To mitigate this issue you can upgrade the server to version
+`0.76.6` or copy the latest [Windows.Collectors.Remapping](https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Collectors/Remapping.yaml) artifact from the
+latest release into the [config file](/docs/deployment/references/#Frontend.artifact_definitions_directory).

content/docs/deployment/security/_index.md

@@ -25,6 +25,47 @@ deployment methods to ensure it can be secured on the network. We then
 discuss the Velociraptor permission model and suggest some further
 steps to ensure user actions are audited and controlled.
 
+## Client verification
+
+From the outset we need to highlight a fundamental limitation of agent
+based security software.
+
+> Because the agent (The Velociraptor `Client`) is running on a
+> potentially compromised platform, We can never fully trust what the
+> client is telling us.
+
+There is no guarantee that the client will work correctly - it may be
+subverted by an attacker (who has full control of the endpoint) to:
+
+1. Disable the client completely - it will not report to the server.
+2. The client may omit reporting some information - For example, the
+   client may hide sensitive files or artifacts that the attacker
+   wants to hide.
+3. The client may report incorrect information (for example fake
+   processes, files etc).
+
+This is a fundamental limitation in the server/client model and can
+not be mitigated. Typically the Velociraptor client is running at an
+elevated permissions level which makes it harder to interact with by
+low privileged users, this reduces the risk somewhat. If you have an
+EDR installed on the endpoint, you may add anti-tamper rules to the
+EDR to reduce the risk of client interference even further - however
+there is always a residual risk of interference when the platform may
+be compromised.
+
+We refer to a compromised client as a `Rogue Client`. This type of
+client can send malformed responses or fake data.
+
+You should always keep this limitation in mind when interpreting
+results from Velociraptor. The results may be missing or incorrect, or
+a client may be completely disabled by an attacker.
+
+The main concern for Velociraptor is to ensure that one client can not
+impersonate another client. This mitigates the risk of a compromised
+client injecting fake information about another client. Velociraptor
+mitigates this risk using cryptographic keys as described in the next
+section.
+
 ## Velociraptor communications
 
 How do Velociraptor clients communicate with the server? You can read
@@ -1179,7 +1220,7 @@ accessing the disk directly to bypass ACLs and denied paths.
 {{% /notice %}}
 
 
-{{% notice warn "`http_client()`, Unix sockets, and server ACLs" %}}
+{{% notice warning "`http_client()`, Unix sockets, and server ACLs" %}}
 
 The VQL `http_client()` plugin understands URLs like
 `/var/run/docker.sock:unix/v1/version`, which relays HTTP traffic

content/downloads/_index.md

@@ -5,57 +5,57 @@ draft: false
 weight: 25
 no_children: true
 pre: <i class="fas fa-download"></i>
-release: 0.76.5
+release: 0.76.6
 base_release: 0.76
 arches:
   - desc: Windows AMD64 (64-bit) Executable
     name: windows-amd64.exe
-    hash: 4813e753f6f9bfa5c5de0edbb8dd3cc7f1fa51714097d3144d44e5e89dbd33ef
+    hash: 1e82175822aa9ffdfd7bc177599642f3db55159d0a2f38bb0fcc6722f15573cd
     platform: windows
 
   - desc: Windows AMD64 (64-bit) MSI
     name: windows-amd64.msi
-    hash: a35a220a58360bbe501b5f9cb4ccf4eda188c6e68e770bf0a79bea75d3b2b899
+    hash: e5fc16e7d4aea87f70edb9ce09112f1c92808b9e4547a544769d433545ff3ee3
     platform: windows
 
   - desc: Windows 32-bit Executable
     name: windows-386.exe
-    hash: 402e7968257bb8b3d85864517c452dde04d0c997ddfdbf161908bc377987521b
+    hash: 4c329cb5b1d881ef7681e4faea9dc8f8e081bb579739d557ca0dc5bc57a8ef12
     platform: windows
 
   - desc: Windows 32-bit MSI
     name: windows-386.msi
-    hash: fe407135b9f0e7fa149533b42119814afdb036b3489f26637ba6243841c68aff
+    hash: 9fb535710bba977f28761b387c3e90095ac02022cb1f3765b7067de9fdda3ce1
     platform: windows
 
   - desc: Linux Ubuntu 22.04 AMD64 and later. Recommended for servers.
     name: linux-amd64
-    hash: e6b2b379c90aaddf549a200dea108fe34e397994d45d2fc3b68f53b2f5277b51
+    hash: 9b1c439834a562a96cbef886f26a93521d16b020fd96777fb30e01f88947af18
     platform: linux
 
   - desc: Linux Ubuntu 22.04 ARM and later. Recommended for servers or containers.
     name: linux-arm64
-    hash: 5e38969f199823535f1bd8611e1ab95e45c2cc4a4522d0c2a68474cdbe098214
+    hash: d19218d37d76b6988d25d21d2cdb349658fa12b355d44c90f44b5cdd975b7616
     platform: linux
 
   - desc: Linux Static Build (Older Releases, e.g. RHEL, Centos) Recommended for clients.
     name: linux-amd64-musl
-    hash: e7e43975f4855e03aba0e7d9ef2a8ed32c58112718074ddcf3535bebf90e1f2f
+    hash: 84ad1652ff6e79694441a06a6af4040aae6a982080d2ef583a31bda52f58e299
     platform: linux
 
   - desc: Linux Sumo build. Recommended for servers.
     name: linux-amd64-sumo-musl
-    hash: 8b2d1e8cd74ea58a56ce0ed0c052c2e66ad45980f0b35bab6afe566363cae745
+    hash: f39269d2c1858497c0f244caefc603c9061ef4d837201aa28c18831967cc6343
     platform: linux
 
   - desc: MacOS AMD64
     name: darwin-amd64
-    hash:
+    hash: 6308ea8c7f7dbacad791977caefe387c61daaebf4f94cde2e1c39d89968091a3
     platform: apple
 
   - desc: MacOS ARM (M1, M2 chipsets)
     name: darwin-arm64
-    hash:
+    hash: 4518998f95de31d4ee5734dfbcdd60f834c43a1b9fc6f9a1f372d8099172a496
     platform: apple
 
   - desc: FreeBSD AMD64