Description
An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.
Published: 2026-04-07
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to Explorer groups across organization scopes
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in runZero Explorer allows an attacker to view or interact with Explorer groups that fall outside the authorized organization scope. Because the application fails to enforce proper authorization checks, the flaw falls under CWE‑863, Incorrect Authorization. Although the CVSS scoring predicts low impact on confidentiality and higher impact on integrity, the ability to access groups where the attacker does not have permission can lead to unauthorized data visibility and potential manipulation of group settings.

Affected Systems

RunZero Explorer versions prior to 4.0.26021.0 (the vendor notes that the issue was also fixed in 4.0.260208.0) runZero Explorer is the affected product. Anyone deploying these earlier builds is susceptible to the flaw.

Risk and Exploitability

The CVSS 3.1 score of 4.4 classifies the issue as medium severity. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog, indicating that it is not a known exploited weakness at this time. The likely attack vector is through the web interface, where an unauthenticated or low‑privilege user can request group data that should be restricted.

Generated by OpenCVE AI on April 7, 2026 at 20:07 UTC.

Remediation

Vendor Solution

This issue was fixed in version 4.0.26021.0 of the runZero Explorer

OpenCVE Recommended Actions

  • Upgrade to runZero Explorer 4.0.26021.0 or later.
  • Confirm that group access controls are functioning correctly after the upgrade.

Generated by OpenCVE AI on April 7, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Runzero runzero Platform
CPEs cpe:2.3:a:runzero:runzero_platform:*:*:*:*:*:*:*:*
Vendors & Products Runzero runzero Platform

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero explorer
Vendors & Products Runzero
Runzero explorer

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.
Title runZero Explorer missing authorization check
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Runzero Explorer Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-04-07T20:00:12.927Z

Reserved: 2026-04-01T20:20:41.608Z

Link: CVE-2026-5383

cve-icon Vulnrichment

Updated: 2026-04-07T19:53:45.650Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:48.543

Modified: 2026-04-21T15:39:43.990

Link: CVE-2026-5383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:49:10Z

Weaknesses