Description
An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (2.7 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform.
Published: 2026-04-07
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Patch Immediately
AI Analysis

Impact

An unauthorized actor can access API responses and view sensitive fields if the user has credential access. The flaw represents an exposure of confidential information, allowing potential disclosure of data that should be protected. The weakness is classified as CWE-200, indicating a lack of proper access controls for sensitive data stored or transmitted by API responses. The primary consequence is the compromise of confidentiality of credential information, while integrity and availability remain unaffected.

Affected Systems

The vulnerability affects runZero Platform versions older than 4.0.260203.0. All installations of runZero Platform running a version prior to this release are susceptible. The issue is resolved by updating to 4.0.260203.0 or later.

Risk and Exploitability

The CVSS score is 2.7, indicating a low risk severity. Exploitability is limited to users who already possess credential access, meaning an insider or privileged user could exploit it. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not currently targeted by widespread exploitation. The attack vector is inferred to be network-based, requiring legitimate access to the API. Overall, the risk is low but mitigated by the required high privileges to exploit.

Generated by OpenCVE AI on April 7, 2026 at 20:10 UTC.

Remediation

Vendor Solution

This issue was fixed in version 4.0.260203.0 of the runZero Platform

OpenCVE Recommended Actions

  • Apply the vendor patch to version 4.0.260203.0 or newer to eliminate the credential information leak.

Generated by OpenCVE AI on April 7, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero platform
Vendors & Products Runzero
Runzero platform

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (2.7 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform.
Title runZero Platform API credential information leak
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-04-07T14:50:26.203Z

Reserved: 2026-04-01T19:51:13.277Z

Link: CVE-2026-5375

cve-icon Vulnrichment

Updated: 2026-04-07T14:44:26.706Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T15:17:47.460

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-5375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:18Z

Weaknesses