This page lists publicly disclosed CVE vulnerabilities affecting runzero runzero_platform (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-5384 | An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.26021.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.8 | 0.03% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5383 | An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer. | 44488dab-36db-4358-99f9-bc116477f914 | 4.4 | 0.06% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5382 | An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 3.0 | 0.02% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5381 | An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 2.2 | 0.02% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5380 | An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.3 | 0.03% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5379 | An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 3.0 | 0.01% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5378 | An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N (5.8 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.8 | 0.02% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5376 | An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expiration or Release, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N (5.9 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.9 | 0.03% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5375 | An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (2.7 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 2.7 | 0.03% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5374 | An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.8 | 0.03% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5373 | An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (8.1 High). This issue was fixed in version 4.0.260202.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 8.1 | 0.03% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5372 | An issue that allowed a SQL injection attack vector related to saved queries (introduced in version 4.0.260123.0). This is an instance of CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H (6.4 Medium). This issue was fixed in version 4.0.260123.1 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 6.4 | 0.03% | 2026-04-07 | 2026-04-21 |