Description
An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (8.1 High). This issue was fixed in version 4.0.260202.0 of the runZero Platform.
References (2)
Core 2
Core References
Release Notes release-notes
https://help.runzero.com/docs/release-notes/#402602020
Vendor Advisory vendor-advisory
https://www.runzero.com/advisories/runzero-platform-su-privesc-cve-2026-5373/
Scores
CVSS v3
8.1
EPSS
0.0022
EPSS Percentile
12.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-269
Status
published
Products (2)
runZero/Platform
< 4.0.260202.0
runzero/runzero_platform
< 4.0.260202.0
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026