What is the CVSS score of CVE-2026-5381?

CVE-2026-5381 has a CVSS 3.1 base score of 2.2 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-5381?

Yes, a patch is available for CVE-2026-5381. Update the affected software to the latest version immediately.

Platform CVE-2026-5381

EUVD-2026-19698 LOW

Incorrect Authorization (CWE-863)

2026-04-07 runZero

GHSA-hm34-jchw-p8x7

Authentication Bypass Platform

2.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

2.2 LOW

AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

4.0.260205.0

EUVD ID Assigned

Apr 07, 2026 - 15:00 euvd

EUVD-2026-19698

Analysis Generated

Apr 07, 2026 - 15:00 vuln.today

CVE Published

Apr 07, 2026 - 14:12 nvd

LOW 2.2

DescriptionCVE.org

An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform.

AnalysisAI

runZero Platform versions prior to 4.0.260205.0 contain an incorrect authorization flaw that allows authenticated high-privileged users to access task information outside their authorized organization scope via network-based vectors with high complexity. The vulnerability is low-severity (CVSS 2.2) and limited to confidentiality impact (information disclosure), with no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 2.2 is low, the risk assessment must account for multiple data points: (1) the vector shows authentication is required (PR:H, high-privilege user), significantly limiting the attack surface; (2) attack complexity is high (AC:H), meaning successful exploitation requires specific conditions; (3) impact is limited to confidentiality with only low-level information disclosure (C:L); (4) no KEV (CISA Known Exploited Vulnerabilities) status is indicated, and no public exploit code is referenced; (5) the defect affects task metadata rather than critical system functions or credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A high-privileged administrator within one organization of a multi-tenant runZero deployment could craft API requests or use the platform interface to enumerate or retrieve task information from other organizations within the same instance. While the high authentication barrier (PR:H) and high complexity (AC:H) limit the likelihood, an insider with administrative privileges or a compromised admin account could use this flaw to conduct corporate espionage or gather sensitive information about other organizations' network scanning activities. …
Remediation	Vendor-released patch: upgrade runZero Platform to version 4.0.260205.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5381 vulnerability details – vuln.today

Back

Platform CVE-2026-5381

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code