Description
An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform.
Published: 2026-04-07
Score: 3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

An authorization flaw allows features that normally belong to one organizational scope to be accessed by agents belonging to another scope. The flaw permits certificate information to be viewed by MCP agents that are not originally authorized. This results in a modest loss of confidentiality and is classified as CWE‑863.

Affected Systems

The vulnerability exists in the runZero Platform before version 4.0.260203.0. Only installations using an earlier release are affected. The platform version can be verified against the release notes linked in the advisory.

Risk and Exploitability

The CVSS score is 3.0, indicating low severity. The lack of an EPSS score and absence from the CISA KEV list suggest limited public exploitation. The attack vector is likely through an MCP agent that gains elevated permission within the platform; it requires that the attacker already has some operational presence in the system. The risk level remains low, but it could allow insufficient privilege escalation and disclosure of sensitive onboarding certificates.

Generated by OpenCVE AI on April 7, 2026 at 20:09 UTC.

Remediation

Vendor Solution

This issue was fixed in version 4.0.260203.0 of the runZero Platform

OpenCVE Recommended Actions

  • Apply the patch delivered in runZero Platform version 4.0.260203.0
  • Verify that the running platform version matches the updated release

Generated by OpenCVE AI on April 7, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero platform
Vendors & Products Runzero
Runzero platform

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform.
Title runZero Platform MCP certification information leak
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-04-07T15:04:56.157Z

Reserved: 2026-04-01T20:13:08.079Z

Link: CVE-2026-5379

cve-icon Vulnrichment

Updated: 2026-04-07T15:04:32.834Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T15:17:47.917

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-5379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:14Z

Weaknesses