CVE-2026-5374

medium

Description

An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform.

References

https://www.runzero.com/advisories/runzero-platform-mcp-infoleak-cve-2026-5374/

https://help.runzero.com/docs/release-notes/#402602020

Details

Source: Mitre, NVD

Published: 2026-04-07

Updated: 2026-04-21

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.8

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00026