CVE-2026-5374
Received Received - Intake
Incorrect Authorization in runZero MCP Agents Allows Data Exposure

Publication date: 2026-04-07

Last updated on: 2026-04-21

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description
An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5374
EUVD
EUVD-2026-19635
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
runzero runzero_platform to 4.0.260202.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allowed MCP agents to access remediation and asset information beyond their authorized organizational scope, leading to a high confidentiality impact. Such unauthorized access to sensitive information could potentially result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls on access to sensitive and personal data.

By exposing sensitive organizational information, this issue could increase the risk of data breaches or unauthorized data exposure, which are critical concerns under these regulations. Therefore, addressing this vulnerability is important to maintain compliance with standards that require proper authorization and protection of sensitive data.

Executive Summary

The CVE-2026-5374 vulnerability is an information leak issue in the runZero Platform MCP (Managed Control Plane) agents. It allowed these agents to access remediation and asset information beyond their authorized organizational scope, which means they could see data they were not supposed to access. This is classified as CWE-863: Incorrect Authorization.

The vulnerability has a CVSS 3.1 base score of 5.8 (Medium), indicating it can be exploited over the network but requires high privileges and has a high attack complexity. It impacts confidentiality by exposing sensitive information but does not affect integrity or availability.

Impact Analysis

If exploited, this vulnerability could allow an attacker to obtain sensitive remediation and asset information from outside their authorized organizational scope. This exposure of sensitive information could be used to tailor further attacks against the targeted organization.

Mitigation Strategies

To mitigate the CVE-2026-5374 vulnerability, you should update the runZero Platform to version 4.0.260202.0 or later, where the issue has been fixed.

This update addresses the incorrect authorization issue that allowed MCP agents to access remediation and asset information outside their authorized organizational scope.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5374. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart