Description
An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform.
Published: 2026-04-07
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability permits MCP agents to retrieve remediation and asset details that belong to other authorized organizations. It is a classic example of incorrect authorization, allowing privilege escalation to read sensitive data. The reported CVSS score reflects a medium severity scenario in which the attacker can obtain confidential asset information but cannot modify or delete data.

Affected Systems

The affected product is runZero Platform, and the issue applies to all deployments prior to version 4.0.260202.0. Any instance installed before that release is vulnerable.

Risk and Exploitability

The CVSS score of 5.8 indicates a medium risk, and the absence of an EPSS score or KEV listing means there is no currently documented exploitation. However, the nature of the flaw (CWE‑863) suggests that an attacker who can gain MCP agent access could read data beyond their authorized scope. A patch is available, so timely application reduces risk.

Generated by OpenCVE AI on April 7, 2026 at 20:10 UTC.

Remediation

Vendor Solution

This issue was fixed in version 4.0.260202.0 of the runZero Platform

OpenCVE Recommended Actions

  • Upgrade the runZero Platform to version 4.0.260202.0 or later, which contains the fix for the authorization flaw.
  • Verify that all affected instances have been upgraded and that MCP agents can no longer access assets outside their organization.

Generated by OpenCVE AI on April 7, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero platform
Vendors & Products Runzero
Runzero platform

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform.
Title runZero Platform MCP information leak
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-04-07T14:50:26.053Z

Reserved: 2026-04-01T19:51:12.402Z

Link: CVE-2026-5374

cve-icon Vulnrichment

Updated: 2026-04-07T14:44:24.551Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T15:17:47.307

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-5374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:19Z

Weaknesses