Description
An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform.
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Patch
AI Analysis

Impact

An authorized user can view clear‑text secrets for certain credential types and fields. This results in loss of confidentiality, allowing attackers with legitimate access to retrieve sensitive authentication data. The weakness is identified as CWE‑522, Insufficiently Protected Credentials, and is rated as a medium severity vulnerability.

Affected Systems

The runZero Platform is affected. Users running any version of the Platform prior to 4.0.260204.2 are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk. Because susceptibility requires legitimate authorization, the attack vector is internal and limited to users with existing access. No exploit probability data or KEV listing is available, and no publicly disclosed exploit has been reported.

Generated by OpenCVE AI on April 7, 2026 at 20:08 UTC.

Remediation

Vendor Solution

This issue was fixed in version 4.0.260204.2 of the runZero Platform

OpenCVE Recommended Actions

  • Upgrade the runZero Platform to version 4.0.260204.2 or later.

Generated by OpenCVE AI on April 7, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero platform
Vendors & Products Runzero
Runzero platform

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform.
Title runZero Platform cleartext secret exposure
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-04-07T15:03:47.654Z

Reserved: 2026-04-01T20:20:38.604Z

Link: CVE-2026-5380

cve-icon Vulnrichment

Updated: 2026-04-07T15:03:39.723Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T15:17:48.070

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-5380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:13Z

Weaknesses