{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5383", "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914", "state": "PUBLISHED", "assignerShortName": "runZero", "dateReserved": "2026-04-01T20:20:41.608Z", "datePublished": "2026-04-07T14:12:32.422Z", "dateUpdated": "2026-04-07T20:00:12.927Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "44488dab-36db-4358-99f9-bc116477f914", "shortName": "runZero", "dateUpdated": "2026-04-07T14:12:32.422Z"}, "title": "runZero Explorer missing authorization check", "datePublic": "2026-04-07T14:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "affected": [{"vendor": "runZero", "product": "Explorer", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.260208.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.<br>"}]}], "references": [{"url": "https://help.runzero.com/docs/release-notes/#402602080", "tags": ["release-notes"]}, {"url": "https://www.runzero.com/advisories/runzero-explorer-cve-2026-5383/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L"}}], "solutions": [{"lang": "en", "value": "This issue was fixed in version 4.0.26021.0 of the runZero Explorer", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This issue was fixed in version 4.0.26021.0 of the runZero Explorer"}]}], "credits": [{"lang": "en", "value": "runZero", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T19:53:40.801500Z", "id": "CVE-2026-5383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:00:12.927Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T19:53:40.801500Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:53:45.650Z"}}], "cna": {"title": "runZero Explorer missing authorization check", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "runZero"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "runZero", "product": "Explorer", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.260208.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "This issue was fixed in version 4.0.26021.0 of the runZero Explorer", "supportingMedia": [{"type": "text/html", "value": "This issue was fixed in version 4.0.26021.0 of the runZero Explorer", "base64": false}]}], "datePublic": "2026-04-07T14:00:00.000Z", "references": [{"url": "https://help.runzero.com/docs/release-notes/#402602080", "tags": ["release-notes"]}, {"url": "https://www.runzero.com/advisories/runzero-explorer-cve-2026-5383/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.", "supportingMedia": [{"type": "text/html", "value": "An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "44488dab-36db-4358-99f9-bc116477f914", "shortName": "runZero", "dateUpdated": "2026-04-07T14:12:32.422Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5383", "state": "PUBLISHED", "dateUpdated": "2026-04-07T20:00:12.927Z", "dateReserved": "2026-04-01T20:20:41.608Z", "assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914", "datePublished": "2026-04-07T14:12:32.422Z", "assignerShortName": "runZero"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:runzero:runzero_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "F47C6688-19AC-4FF8-9BEB-A1B3AD4F9BD9", "versionEndExcluding": "4.0.260208.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer."}], "id": "CVE-2026-5383", "lastModified": "2026-04-21T15:39:43.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary"}]}, "published": "2026-04-07T15:17:48.543", "references": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "tags": ["Release Notes"], "url": "https://help.runzero.com/docs/release-notes/#402602080"}, {"source": "44488dab-36db-4358-99f9-bc116477f914", "tags": ["Vendor Advisory"], "url": "https://www.runzero.com/advisories/runzero-explorer-cve-2026-5383/"}], "sourceIdentifier": "44488dab-36db-4358-99f9-bc116477f914", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.260208.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Explorer", "source": "cna", "vendor": "runZero"}, "product": "explorer", "vendor": "runzero"}], "analysis": {"en": {"generated_at": "2026-04-07T20:07:19.869225+00:00", "value": {"mitigation_remediation": ["Upgrade to runZero Explorer 4.0.26021.0 or later.", "Confirm that group access controls are functioning correctly after the upgrade."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to Explorer groups across organization scopes"}, "threat_synthesis": {"affected_systems": "RunZero Explorer versions prior to 4.0.26021.0 (the vendor notes that the issue was also fixed in 4.0.260208.0) runZero Explorer is the affected product. Anyone deploying these earlier builds is susceptible to the flaw.", "description_and_impact": "The vulnerability in runZero Explorer allows an attacker to view or interact with Explorer groups that fall outside the authorized organization scope. Because the application fails to enforce proper authorization checks, the flaw falls under CWE\u2011863, Incorrect Authorization. Although the CVSS scoring predicts low impact on confidentiality and higher impact on integrity, the ability to access groups where the attacker does not have permission can lead to unauthorized data visibility and potential manipulation of group settings.", "risk_and_exploitability": "The CVSS 3.1 score of 4.4 classifies the issue as medium severity. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog, indicating that it is not a known exploited weakness at this time. The likely attack vector is through the web interface, where an unauthenticated or low\u2011privilege user can request group data that should be restricted."}}}}, "created": "2026-04-08T19:37:39.214370+00:00", "updated": "2026-04-08T19:49:10.248755+00:00", "vendors": ["runzero", "runzero$PRODUCT$explorer"]}