What is the CVSS score of CVE-2026-5380?

CVE-2026-5380 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-5380?

Yes, a patch is available for CVE-2026-5380. Update the affected software to the latest version immediately.

Platform CVE-2026-5380

EUVD-2026-19697 MEDIUM

Incorrect Authorization (CWE-863)

2026-04-07 runZero

GHSA-xm23-f7v4-5j82

Authentication Bypass Platform

5.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

4.0.260204.2

EUVD ID Assigned

Apr 07, 2026 - 15:00 euvd

EUVD-2026-19697

Analysis Generated

Apr 07, 2026 - 15:00 vuln.today

CVE Published

Apr 07, 2026 - 14:12 nvd

MEDIUM 5.3

DescriptionCVE.org

An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform.

AnalysisAI

runZero Platform versions prior to 4.0.260204.2 expose cleartext secrets for a subset of credential types and fields to authorized users due to insufficient credential protection, allowing users with legitimate platform access to view sensitive authentication data they should not be able to access. The vulnerability requires user interaction and has a CVSS score of 5.3 (Medium) with high confidentiality impact but no active exploitation or public exploit code identified at time of analysis.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates remote network access with high attack complexity, no privileges required, but user interaction needed, resulting in a 5.3 Medium score with high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An insider with valid runZero Platform credentials (e.g., a junior security analyst or contractor with basic platform access) navigates to a credential management interface and, due to insufficient authorization checks, is able to view and extract cleartext secrets for credential types the application failed to properly protect. The attacker then uses these exposed credentials to compromise connected systems or services. …
Remediation	Vendor-released patch: Upgrade to runZero Platform version 4.0.260204.2 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5380 vulnerability details – vuln.today

Back

Platform CVE-2026-5380

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code