Skip to main content

runZero Platform CVE-2026-7778

| EUVDEUVD-2026-27331 MEDIUM
Improper Privilege Management (CWE-269)
2026-05-05 runZero
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 05, 2026 - 15:01 EUVD
Analysis Generated
May 05, 2026 - 14:30 vuln.today

DescriptionCVE.org

An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform.

AnalysisAI

Cross-organization dashboard configuration disclosure in runZero Platform allows authenticated users to view sensitive dashboard configurations outside their authorized organization scope via network requests. The vulnerability stems from improper privilege management (CWE-269) and affects versions prior to v4.0.260416.0, enabling authenticated attackers with low privileges to escalate access and view confidential configuration data across organizational boundaries.

Technical ContextAI

runZero Platform is a network intelligence and asset management system. The vulnerability exists in the dashboard configuration retrieval mechanism, which fails to properly validate organizational scope boundaries before returning sensitive configuration data to authenticated users. This is a classic privilege management flaw (CWE-269) where authorization checks are insufficient or missing when accessing resources that should be restricted to specific organization scopes. The issue affects the core platform API endpoints responsible for dashboard configuration queries, allowing cross-organization information disclosure through network-accessible interfaces.

RemediationAI

Upgrade runZero Platform to version v4.0.260416.0 or later immediately. This patched version includes authorization fixes that properly enforce organizational scope boundaries on dashboard configuration requests. Organizations using earlier versions should prioritize this upgrade, particularly those operating multi-tenant deployments with sensitive dashboard configurations containing organization-specific data. No workarounds are available prior to patching. After upgrade, verify that dashboard configuration endpoints correctly reject cross-organization access by testing with user accounts from different organizations. Refer to runZero's official advisory at https://www.runzero.com/advisories/runzero-platform-dashboard-configuration-exposure-cve-2026-7778/ and release notes at https://help.runzero.com/docs/release-notes/#402604160 for detailed upgrade instructions.

CVE-2026-56769 MEDIUM POC
6.3 Jun 25

Server-side request forgery in Huly Platform's /import endpoint allows authenticated workspace users to coerce the front

CVE-2023-45162 CRITICAL
9.8 Oct 13

Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution. Rated

CVE-2023-36825 CRITICAL
9.8 Jul 11

Orchid is a Laravel package that allows application development of back-office applications, admin/user panels, and dash

CVE-2020-8775 HIGH
8.9 Apr 29

Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags.

CVE-2020-8773 HIGH
8.9 Apr 29

The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability. Rate

CVE-2026-5373 HIGH
8.1 Apr 07

Improper privilege management in runZero Platform allows organization administrators to escalate privileges to superuser

CVE-2025-1683 HIGH
7.8 Mar 12

Improper link resolution before file access in the Nomad module of the 1E Client, in versions prior to 25.3, enables an

CVE-2025-57210 HIGH
7.5 Dec 04

Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive

CVE-2025-57213 HIGH
7.5 Dec 04

Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensiti

CVE-2025-57212 HIGH
7.5 Dec 04

Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive i

CVE-2023-5964 HIGH
7.2 Nov 06

The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exch

CVE-2023-45163 HIGH
7.2 Nov 06

The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does n

Share

CVE-2026-7778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy