CVE-2026-5374

Published: Apr 7, 2026Modified: Apr 21, 2026

5.8

Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Exploitability: 1.3 / Impact: 4.0

Source: 44488dab-36db-4358-99f9-bc116477f914 (Secondary)

Description

An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform.

Affected (1)

Products: Runzero: Runzero Platform

1 product

Runzero Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Runzero Runzero Platform	Before 4.0.260202.0

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://help.runzero.com/docs/release-notes/#402602020

Source: 44488dab-36db-4358-99f9-bc116477f914

Release Notes

https://www.runzero.com/advisories/runzero-platform-mcp-infoleak-cve-2026-5374/

Source: 44488dab-36db-4358-99f9-bc116477f914

Vendor Advisory

Timeline

No history available yet.