🤖 April 15 – Live, Laugh, Malware: LLMs in Cybersecurity! Register Now
runZero CAASM

On This Page:

  1. CVEs for April, 2026

runZero security update and new CVE releases

todb
|
Updated

Today, we're happy to announce that we've started to allocate CVEs for runZero security updates. If you've applied any update since February 10, 2026 (version 4.0.26021.0), or are using our SaaS (which is most of our customers) there's no action for you to take. runZero consistently publishes security updates as they are fixed, and notes these fixes in the release notes, and we’re now allocating CVEs, starting with a recent batch that came from our last external audit. If you’re interested in the whys and wherefores of CVE allocations, read on!

First off, I’m glad to get these CVE out the door, which may sound a little strange. After all, nobody’s happy when their product ships with vulnerabilities. But, this does give me, incorrigible vulnerability-gazer todb, a reason to tout runZero’s overarching commitment to transparently communicate with our customers, users, and fans about the occasional bug that we happen to write, then find, and then fix. Best of all, there’s no reason to believe any of these were exploited in the wild (and we did check; if we ever find indicators of compromise, the affected customers would be the first to know).

In our role as a designated CVE Numbering Authority (or CNA), we are now expected to voluntarily (and, dare I say, enthusiastically), publish CVE records noting vulnerabilities that affect our own software. This first batch covers several months of bug-writing, concluding with CVE identifiers for an even dozen vulnerabilities. While most of them are pretty boring (everything in the set requires you to already be at least an authorized runZero user, and most are in the CVSS 5.8 Medium range) we’re committed to showing some uncomfortable proof that we actually do practice what we preach when it comes to security audits. We take our compliance requirements quite seriously, and we are going beyond an auditor’s checkbox when it comes to rolling out fixes before anything actually bad happens.

Going forward, we’re targeting the first Tuesday of every month for these CVE rollups, in order to give our customers and users a chance to apply fixes as we release them. To be clear, I expect there will be first-Tuesdays that go by with nary a bug to document. You'll notice that our most recent security issue was back in February, and I'm writing this in April, so you can expect to see a monthly report when there's something to share.

I’d also like to note that runZero has spent its entire corporate life offering security fixes as regular point releases, and we don’t expect to change that cadence now we’re a CNA. Instead, we’re offering our customers the best of both worlds: rapid fixes for security issues (no matter how minor they seem), and follow up documentation for the folks who continue to rely on the CVE ecosystem for alerting. This works for us because the runZero Platform is, at heart, a SaaS offering, which means that most of our users get these fixes without any heavy lifting or other action on their part. However, we’re also used in high security environments that require an on-prem, air-gapped installation. Ironically, this means that those high-security customers may miss out on security fixes for a while, so we’re hopeful that publishing these CVEs might nudge them along to getting not just security fixes, but all of our sweet new features and refinements that they miss out on with a slower-than-instant update cycle.

Of course, in the unlikely event that things go really off the rails and someone else discovers and publishes a vulnerability of ours before we do ourselves, we’ll be first on the scene with a fix and a CVE in hand.

So, nobody likes shipping vulns, but the least we can do is be clear about our vulnerabilities when we find and fix them, both practically in release notes, and logistically for the global CVE community. Everybody writes bugs, but not everyone is on board with owning them, and that’s why I’m (weirdly) pleased to announce our twelve newly minted CVEs. For more details, swing by runZero’s Security Advisories page, or just look these up directly with your favorite CVE client.

CVEs for April, 2026 #

The below are ordered by CVSS general ratings (High to Low, there were no Criticals). All runZero Platform hosted customers have already been fixed, while on-prem customers will need to update to the latest version.

High #

  • CVE-2026-5373: runZero Platform superuser privilege escalation, CVSS 8.1 (High)

Medium #

  • CVE-2026-5372: runZero Platform SQL injection in saved queries, CVSS 6.4 (Medium)
  • CVE-2026-5376: runZero Platform session timeout failure, CVSS 5.9 (Medium)
  • CVE-2026-5374: runZero Platform MCP information leak, CVSS 5.8 (Medium)
  • CVE-2026-5378: runZero Platform user creation leak, CVSS 5.8 (Medium)
  • CVE-2026-5384: runZero Platform incorrect credential scope, CVSS 5.8 (Medium)
  • CVE-2026-5380: runZero Platform clear-text secret exposure, CVSS 5.3 (Medium)
  • CVE-2026-5383: runZero Explorer missing authorization check (CVSS 4.4 (Medium)

Low #

  • CVE-2026-5379: runZero Platform MCP certification information leak, CVSS 3.0 (Low)
  • CVE-2026-5382: runZero Platform MCP endpoint information leak, CVSS 3.0 (Low)
  • CVE-2026-5375: runZero Platform API credential information leak, CVSS 2.7 (Low)
  • CVE-2026-5381: runZero Platform task information leak, CVSS 2.2 (Low)

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more

Watch Now • On Demand
Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

Watch Now
runZero Hour, Episode 17
The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
Watch Now
Product Release
Tackling the New Era of Exposure Management
Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
Read More
Webcast
The Unreasonable Effectiveness of Inside Out Attack Surface Management
HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved