What is the CVSS score of CVE-2026-5382?

CVE-2026-5382 has a CVSS 3.1 base score of 3.0 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-5382?

Yes, a patch is available for CVE-2026-5382. Update the affected software to the latest version immediately.

Platform CVE-2026-5382

EUVD-2026-19699 LOW

Incorrect Authorization (CWE-863)

2026-04-07 runZero

GHSA-69vg-gq6x-ppc2

Authentication Bypass Platform

3.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

3.0 LOW

AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

4.0.260206.0

EUVD ID Assigned

Apr 07, 2026 - 15:00 euvd

EUVD-2026-19699

Analysis Generated

Apr 07, 2026 - 15:00 vuln.today

CVE Published

Apr 07, 2026 - 14:12 nvd

LOW 3.0

DescriptionCVE.org

An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform.

AnalysisAI

Incorrect authorization in runZero Platform MCP endpoints allows authenticated high-privilege users to access records outside their authorized organization scope, exposing sensitive data across organizational boundaries. The vulnerability affects runZero Platform versions prior to 4.0.260206.0 and requires high-privilege credentials to exploit, resulting in limited confidentiality impact. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While the CVSS score of 3.0 (Low) reflects the impact constraints-high privilege requirement (PR:H), high attack complexity (AC:H), limited confidentiality impact (C:L), no integrity or availability impact-the real-world risk hinges on organizational deployment context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A high-privilege administrator with legitimate access to runZero Platform's management console could intentionally or inadvertently query MCP endpoints to retrieve asset records, vulnerability data, or configuration information belonging to other organizations within the same platform instance. Due to the high attack complexity (AC:H) and privilege requirement, exploitation requires either deliberate abuse by an insider or a sophisticated social engineering scenario convincing an administrator to execute specific MCP queries. …
Remediation	Organizations should immediately upgrade to runZero Platform version 4.0.260206.0 or later, which includes the fix for the MCP endpoint authorization controls. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5382 vulnerability details – vuln.today

Back

Platform CVE-2026-5382

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code