Description
An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (8.1 High). This issue was fixed in version 4.0.260202.0 of the runZero Platform.
Published: 2026-04-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Superuser privilege escalation
Action: Immediate Patch
AI Analysis

Impact

An improper privilege management flaw in the runZero Platform allows any all‑organization administrator to promote an account to superuser status. This defect, classified as CWE‑269, carries a CVSS v3.1 base score of 8.1, signifying high severity. The vulnerability enables an attacker with administrative credentials to gain full platform control, potentially exposing confidential data, configuration settings, and other privileged functionalities, and compromising overall system integrity.

Affected Systems

The runZero Platform is affected. Users running version 4.0 or earlier, specifically those on versions prior to the fixed build 4.0.260202.0, are vulnerable. The issue applies to all organization‑wide administrators regardless of deployment context, whether on‑premises or hosted in the cloud.

Risk and Exploitability

The CVSS vector indicates that the attack can be performed remotely and with low effort, but requires high privileges from an administrator. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, yet its high impact and broad potential exposure make it a significant risk. Once exploited, the attacker could compromise the entire platform, exposing sensitive information and enabling further internal attacks.

Generated by OpenCVE AI on April 7, 2026 at 20:36 UTC.

Remediation

Vendor Solution

This issue was fixed in version 4.0.260202.0 of the runZero Platform

OpenCVE Recommended Actions

  • Upgrade the runZero Platform to version 4.0.260202.0 or later

Generated by OpenCVE AI on April 7, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero runzero Platform
CPEs cpe:2.3:a:runzero:runzero_platform:*:*:*:*:*:*:*:*
Vendors & Products Runzero runzero Platform

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero platform
Vendors & Products Runzero
Runzero platform

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (8.1 High). This issue was fixed in version 4.0.260202.0 of the runZero Platform.
Title runZero Platform superuser privilege escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Runzero Platform Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-04-07T14:50:25.911Z

Reserved: 2026-04-01T19:51:11.510Z

Link: CVE-2026-5373

cve-icon Vulnrichment

Updated: 2026-04-07T14:44:22.011Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:47.140

Modified: 2026-04-21T15:09:23.593

Link: CVE-2026-5373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:20Z

Weaknesses