Description
An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform.
Published: 2026-04-07
Score: 3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure through MCP endpoints
Action: Patch
AI Analysis

Impact

The vulnerability is an instance of incorrect authorization that permits the MCP endpoints to expose records outside the intended organization scope. This misauthorization can lead to the disclosure of confidential data, affecting confidentiality but not integrity or availability. The likely attack vector is via network access to the endpoints, exploiting the lack of proper authorization checks, as indicated by the CVSS vector AV:N. The CVSS score of 3.0 reflects a low risk severity but still represents a data confidentiality issue.

Affected Systems

The issue affects the runZero Platform. Any deployment running a version prior to 4.0.260206.0 is potentially vulnerable, while versions 4.0.260206.0 and later include the fix.

Risk and Exploitability

This vulnerability has a low CVSS score of 3.0 and no EPSS data is available. It is not referenced in the CISA KEV catalog. Exploitation requires network accessibility to the MCP endpoints and the existence of a user with permissions to query those endpoints. The breach could allow an attacker to harvest records that they should not have access to, thereby violating data privacy constraints.

Generated by OpenCVE AI on April 7, 2026 at 20:07 UTC.

Remediation

Vendor Solution

This issue was fixed in version 4.0.260206.0 of the runZero Platform

OpenCVE Recommended Actions

  • Update the runZero Platform to version 4.0.260206.0 or later to apply the vendor–provided fix.
  • Verify that all users and applications have correct authorization scopes and that no over‑privileged credentials exist.
  • Monitor API usage logs for anomalous requests to MCP endpoints to detect any potential misuse.

Generated by OpenCVE AI on April 7, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero platform
Vendors & Products Runzero
Runzero platform

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform.
Title runZero Platform MCP endpoint information leak
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-04-07T15:38:38.395Z

Reserved: 2026-04-01T20:20:40.699Z

Link: CVE-2026-5382

cve-icon Vulnrichment

Updated: 2026-04-07T15:32:09.059Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T15:17:48.390

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-5382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:11Z

Weaknesses