Description
An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.
Published: 2026-04-07
Score: 2.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Limited confidentiality exposure
Action: Patch
AI Analysis

Impact

The runZero Platform contains a weakness that allows task information to be disclosed beyond the boundaries of the authorized organization. This issue results from incorrect authorization checks (CWE‑863). The information that can be leaked is task data; the CVE description indicates that confidentiality is lowered while integrity and availability remain unaffected. As specified by the CVSS metric, the impact is rated low.

Affected Systems

Users of the runZero Platform running any release earlier than 4.0.260205.0 are potentially affected. The vulnerability has been fixed in version 4.0.260205.0; no other affected version details are disclosed.

Risk and Exploitability

The CVSS vector shows a network-based attack (AV:N) that requires high authentication (PR:H) and high complexity (AC:H). Earning a score of 2.2, the overall risk is low. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, which further indicates that it is not widely exploited. Nonetheless, because the flaw permits leaking sensitive task data to an unauthorized organization, prompt remediation is advisable.

Generated by OpenCVE AI on April 7, 2026 at 20:35 UTC.

Remediation

Vendor Solution

This issue was fixed in version 4.0.260205.0 of the runZero Platform

OpenCVE Recommended Actions

  • Upgrade the runZero Platform to version 4.0.260205.0 or later to close the authorization flaw
  • Verify that the update has been applied by checking the release notes on the runZero documentation site
  • Review user permissions to ensure that only necessary teams have access to task-related data

Generated by OpenCVE AI on April 7, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero platform
Vendors & Products Runzero
Runzero platform

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.
Title runZero Platform task information leak
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 2.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-04-07T15:02:37.040Z

Reserved: 2026-04-01T20:20:39.700Z

Link: CVE-2026-5381

cve-icon Vulnrichment

Updated: 2026-04-07T15:02:28.186Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T15:17:48.230

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-5381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:12Z

Weaknesses