What is the CVSS score of CVE-2026-5379?

CVE-2026-5379 has a CVSS 3.1 base score of 3.0 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-5379?

Yes, a patch is available for CVE-2026-5379. Update the affected software to the latest version immediately.

Platform CVE-2026-5379

EUVD-2026-19696 LOW

Incorrect Authorization (CWE-863)

2026-04-07 runZero

GHSA-pqp2-x3gp-9g37

Authentication Bypass Platform

3.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

3.0 LOW

AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

4.0.260203.0

EUVD ID Assigned

Apr 07, 2026 - 15:00 euvd

EUVD-2026-19696

Analysis Generated

Apr 07, 2026 - 15:00 vuln.today

CVE Published

Apr 07, 2026 - 14:11 nvd

LOW 3.0

DescriptionCVE.org

An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform.

AnalysisAI

runZero Platform versions prior to 4.0.260203.0 allow authenticated high-privilege MCP agents to access certificate information outside their authorized organization scope, enabling lateral information disclosure across organizational boundaries. The vulnerability stems from improper authorization checks (CWE-863) and carries a CVSS score of 3.0 (Low) due to high attack complexity and privilege requirements; no public exploit code or active exploitation has been identified.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Risk is contextual and depends on deployment model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated administrator or high-privilege MCP agent provisioned by an organization could send certificate queries to the runZero Platform API to retrieve certificate metadata belonging to other organizations in a multi-tenant instance, exposing public key details, issuer names, expiration dates, and subject information. No technical barrier (only organizational policy) would prevent this reconnaissance, allowing an attacker to build an inventory of competitors' or targets' PKI infrastructure. …
Remediation	Vendor-released patch: runZero Platform version 4.0.260203.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5379 vulnerability details – vuln.today

Back

Platform CVE-2026-5379

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code