Description
An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform.
Published: 2026-05-05
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of improper privilege management that permits a dashboard configuration to be accessed from outside the authorized organization scope. This flaw, rated CVSS 5.0 Medium, would enable an attacker to view sensitive configuration details, potentially giving insight into system topology or internal settings, though it does not grant modification or code execution capabilities.

Affected Systems

The affected product is runZero Platform. Versions prior to v4.0.260416.0 are vulnerable; the issue was resolved in that release.

Risk and Exploitability

The feature is not included in CISA KEV and no EPSS score is currently available. The CVSS score indicates a medium severity. The attack vector appears to be network-based, likely involving an authenticated request to an endpoint that unintentionally exposes configuration data. The threat is primarily to confidentiality for the organization’s internal data and is only exploitable if the attacker can reach the relevant endpoints.

Generated by OpenCVE AI on May 5, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to runZero Platform v4.0.260416.0 or later.
  • Restrict access to the dashboard configuration API to users belonging to the authorized organization, enforcing role‑based access controls.
  • Disable or remove any publicly accessible endpoints that expose dashboard configuration data.
  • Monitor platform logs for attempts to access configuration data from unauthorized sources and review access controls regularly.

Generated by OpenCVE AI on May 5, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Runzero
Runzero platform
Vendors & Products Runzero
Runzero platform

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform.
Title runZero Platform dashboard configuration exposure
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Runzero Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-05-05T14:41:52.389Z

Reserved: 2026-05-04T15:23:54.909Z

Link: CVE-2026-7778

cve-icon Vulnrichment

Updated: 2026-05-05T14:41:48.325Z

cve-icon NVD

Status : Received

Published: 2026-05-05T14:16:09.473

Modified: 2026-05-05T14:16:09.473

Link: CVE-2026-7778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T16:30:27Z

Weaknesses