CVE-2026-5374
Received Received - Intake

Incorrect Authorization in runZero MCP Agents Allows Data Exposure

Vulnerability report for CVE-2026-5374, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-07

Last updated on: 2026-04-21

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description

An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-07
Last Modified
2026-04-21
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
runzero runzero_platform to 4.0.260202.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-5374 vulnerability is an information leak issue in the runZero Platform MCP (Managed Control Plane) agents. It allowed these agents to access remediation and asset information beyond their authorized organizational scope, which means they could see data they were not supposed to access. This is classified as CWE-863: Incorrect Authorization.

The vulnerability has a CVSS 3.1 base score of 5.8 (Medium), indicating it can be exploited over the network but requires high privileges and has a high attack complexity. It impacts confidentiality by exposing sensitive information but does not affect integrity or availability.

Impact Analysis

If exploited, this vulnerability could allow an attacker to obtain sensitive remediation and asset information from outside their authorized organizational scope. This exposure of sensitive information could be used to tailor further attacks against the targeted organization.

Mitigation Strategies

To mitigate the CVE-2026-5374 vulnerability, you should update the runZero Platform to version 4.0.260202.0 or later, where the issue has been fixed.

This update addresses the incorrect authorization issue that allowed MCP agents to access remediation and asset information outside their authorized organizational scope.

Compliance Impact

The vulnerability allowed MCP agents to access remediation and asset information beyond their authorized organizational scope, leading to a high confidentiality impact. Such unauthorized access to sensitive information could potentially result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls on access to sensitive and personal data.

By exposing sensitive organizational information, this issue could increase the risk of data breaches or unauthorized data exposure, which are critical concerns under these regulations. Therefore, addressing this vulnerability is important to maintain compliance with standards that require proper authorization and protection of sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5374. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart