CVE-2026-5382
Received Received - Intake
Incorrect Authorization in runZero MCP Endpoints Exposes Records

Publication date: 2026-04-07

Last updated on: 2026-04-21

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description
An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5382
EUVD
EUVD-2026-19699
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
runzero runzero_platform to 4.0.260206.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-5382 involves an information leak vulnerability that allows authorized users to access confidential asset records outside their authorized organizational scope. This unauthorized data exposure, even if limited, could potentially impact compliance with data protection regulations such as GDPR or HIPAA, which mandate strict controls on access to personal or sensitive information.

However, the vulnerability has a low confidentiality impact (CVSS score 3.0) and does not affect data integrity or availability. The issue was fixed in version 4.0.260206.0 of the runZero Platform, mitigating the risk of unauthorized data exposure.

Organizations using affected versions prior to the fix might face compliance risks due to potential unauthorized access to sensitive records, which could lead to violations of standards requiring proper authorization and data access controls.

Executive Summary

CVE-2026-5382 is an information leak vulnerability in the runZero Platform's MCP (Management Control Plane) endpoint. It is classified as CWE-863: Incorrect Authorization.

This vulnerability allows an authorized user to query the MCP endpoint and potentially access confidential asset records belonging to organizations outside their authorized scope.

Although the attacker cannot precisely control which records are exposed, this unauthorized data access could facilitate crafting more targeted attacks against those organizations.

The vulnerability has a CVSS 3.1 base score of 3.0 (Low), indicating it requires high privileges and has a low confidentiality impact without affecting integrity or availability.

Impact Analysis

This vulnerability can impact you by allowing an authorized user with high privileges to access confidential asset records of other organizations outside their authorized scope.

Such unauthorized data exposure could enable attackers to gather information that helps them craft more targeted and potentially more effective attacks against those organizations.

However, the impact is considered low in terms of confidentiality, and it does not affect data integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the runZero Platform to version 4.0.260206.0 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5382. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart