{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5381", "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914", "state": "PUBLISHED", "assignerShortName": "runZero", "dateReserved": "2026-04-01T20:20:39.700Z", "datePublished": "2026-04-07T14:12:15.851Z", "dateUpdated": "2026-04-07T15:02:37.040Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "44488dab-36db-4358-99f9-bc116477f914", "shortName": "runZero", "dateUpdated": "2026-04-07T14:12:15.851Z"}, "title": "runZero Platform task information leak", "datePublic": "2026-04-07T14:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "affected": [{"vendor": "runZero", "product": "Platform", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.260205.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.<br>"}]}], "references": [{"url": "https://help.runzero.com/docs/release-notes/#402602050", "tags": ["release-notes"]}, {"url": "https://www.runzero.com/advisories/runzero-platform-task-infoleak-cve-2026-5381/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 2.2, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "This issue was fixed in version 4.0.260205.0 of the runZero Platform", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This issue was fixed in version 4.0.260205.0 of the runZero Platform"}]}], "credits": [{"lang": "en", "value": "runZero", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:02:22.776468Z", "id": "CVE-2026-5381", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:02:37.040Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5381", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T15:02:22.776468Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:02:28.186Z"}}], "cna": {"title": "runZero Platform task information leak", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "runZero"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "runZero", "product": "Platform", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.260205.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "This issue was fixed in version 4.0.260205.0 of the runZero Platform", "supportingMedia": [{"type": "text/html", "value": "This issue was fixed in version 4.0.260205.0 of the runZero Platform", "base64": false}]}], "datePublic": "2026-04-07T14:00:00.000Z", "references": [{"url": "https://help.runzero.com/docs/release-notes/#402602050", "tags": ["release-notes"]}, {"url": "https://www.runzero.com/advisories/runzero-platform-task-infoleak-cve-2026-5381/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.", "supportingMedia": [{"type": "text/html", "value": "An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "44488dab-36db-4358-99f9-bc116477f914", "shortName": "runZero", "dateUpdated": "2026-04-07T14:12:15.851Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5381", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:02:37.040Z", "dateReserved": "2026-04-01T20:20:39.700Z", "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914", "datePublished": "2026-04-07T14:12:15.851Z", "assignerShortName": "runZero"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:runzero:runzero_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA02DE04-B6E8-40D2-877F-1DE25734B4C1", "versionEndExcluding": "4.0.260205.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform."}], "id": "CVE-2026-5381", "lastModified": "2026-04-21T15:36:01.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary"}]}, "published": "2026-04-07T15:17:48.230", "references": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "tags": ["Release Notes"], "url": "https://help.runzero.com/docs/release-notes/#402602050"}, {"source": "44488dab-36db-4358-99f9-bc116477f914", "tags": ["Vendor Advisory"], "url": "https://www.runzero.com/advisories/runzero-platform-task-infoleak-cve-2026-5381/"}], "sourceIdentifier": "44488dab-36db-4358-99f9-bc116477f914", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.260205.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Platform", "source": "cna", "vendor": "runZero"}, "product": "platform", "vendor": "runzero"}], "analysis": {"en": {"generated_at": "2026-04-07T20:35:43.176748+00:00", "value": {"mitigation_remediation": ["Upgrade the runZero Platform to version 4.0.260205.0 or later to close the authorization flaw", "Verify that the update has been applied by checking the release notes on the runZero documentation site", "Review user permissions to ensure that only necessary teams have access to task-related data"], "summary": {"action": "Patch", "impact": "Limited confidentiality exposure"}, "threat_synthesis": {"affected_systems": "Users of the runZero Platform running any release earlier than 4.0.260205.0 are potentially affected. The vulnerability has been fixed in version 4.0.260205.0; no other affected version details are disclosed.", "description_and_impact": "The runZero Platform contains a weakness that allows task information to be disclosed beyond the boundaries of the authorized organization. This issue results from incorrect authorization checks (CWE\u2011863). The information that can be leaked is task data; the CVE description indicates that confidentiality is lowered while integrity and availability remain unaffected. As specified by the CVSS metric, the impact is rated low.", "risk_and_exploitability": "The CVSS vector shows a network-based attack (AV:N) that requires high authentication (PR:H) and high complexity (AC:H). Earning a score of 2.2, the overall risk is low. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, which further indicates that it is not widely exploited. Nonetheless, because the flaw permits leaking sensitive task data to an unauthorized organization, prompt remediation is advisable."}}}}, "created": "2026-04-08T19:37:41.512083+00:00", "updated": "2026-04-08T19:49:12.555199+00:00", "vendors": ["runzero", "runzero$PRODUCT$platform"]}