103 matches found
CVE-2026-9245
CVE-2026-9245 describes an improper input validation vulnerability in the external authentication provider flow of Devolutions Server. An unauthenticated remote attacker can coerce victims of Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier to be redirected to an attacker‑con...
CVE-2026-9251
The CVE-2026-9251 issue affects Devolutions Server versions 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier. The vulnerability arises from missing authorization in the entry status management feature, allowing a non-administrator authenticated user to bypass the administrator-enforced Pending ...
CVE-2026-3224
Affected software: Devolutions Server (versions 2025.3.15.0 and earlier). Vulnerability: Authentication bypass in Microsoft Entra ID (Azure AD) mode, allowing an unauthenticated user to impersonate any Entra ID user via a forged JWT. Documented behavior points to exploitation via the /api/v1/logi...
CVE-2026-9224
CVE-2026-9224 : The issue in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request due to missing authorization in the user profile update feature. Affected: Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and e...
CVE-2026-9590
Technical details beyond the description are not publicly provided in the supplied documents. No affected versions, exploit specifics, or remediation steps are confirmed here; monitor for updates from the vendor and standard advisories.
CVE-2026-5171
CVE-2026-5171 describes improper access control in Devolutions Server’s entry activity log feature. An authenticated user with access to an entry but lacking the required permission can retrieve that entry’s activity logs via a crafted API request. Affected: Devolutions Server 2026.1.6.0–2026.1.1...
CVE-2026-8477
CVE-2026-8477 describes an issue in Devolutions Server where the sealed-entry workflow for entry sensitive-data retrieval can be bypassed: an authenticated user with access to a sealed entry could fetch its sensitive data without triggering the unseal audit via a crafted API request. Affected ver...
CVE-2025-8312
CVE-2025-8312 describes a deadlock in Devolutions Server’s PAM automatic check-in feature that can allow a password to stay valid past its intended check-out. Affected versions include Devolutions Server 2025.2.2.0 through 2025.2.5.0 and 2025.1.12.0 and earlier. The root cause is a scheduling-ser...
CVE-2025-8353
The CVE-2025-8353 entry concerns a UI synchronization issue in Devolutions Server (JIT) that affects versions prior to and including 2025.2.4.0. A remote authenticated attacker could exploit stale UI state during standard checkout processing to gain unauthorized access to deleted JIT Groups. Affe...
CVE-2026-10787
The CVE-2026-10787 entry concerns Devolutions Server (versions 2026.2.4.0 and 2026.1.20.0 and earlier) where missing authorization in the deleted user groups API allows an authenticated, low-privileged user to enumerate metadata of deleted user groups via a crafted API request. The issue targets ...
CVE-2026-9246
CVE-2026-9246 : Improper access control in Devolutions Server’s entry documentation and attachment features allows an authenticated user with vault read access to retrieve documentation and attachments of sealed entries via a crafted API request. Affected: Devolutions Server 2026.1.6.0–2026.1.16....
CVE-2026-9249
This CVE concerns Devolutions Server where a crafted password-change request allows an attacker to change a user’s password without providing the current one. Affected versions include Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier; no root-cause or fix details are provided...
CVE-2025-6741
CVE-2025-6741 describes improper access control in the Devolutions Server secure message component, enabling an authenticated user to steal unauthorized entries via the secure message entry attachment feature. Affected are Devolutions Server 2025.2.2.0–2025.2.4.0 and 2025.1.11.0 and earlier. Root...
CVE-2026-9247
CVE-2026-9247: Insufficient logging in Devolutions Server’s entry export feature allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification. Affected: Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier. Root cause: l...
CVE-2026-10786
CVE-2026-10786 affects Devolutions Server 2026.2.4.0 and 2026.1.20.0 and earlier. The issue is improper access control in the ticketing integration settings that allows an authenticated low-privilege user to obtain cleartext credentials for configured ticketing integrations via a crafted API requ...
CVE-2026-7325
The CVE-2026-7325 entry applies to Devolutions Server, with affected versions 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier. The issue is an improper authorization in the Active Directory browsing feature that lets a low-privileged authenticated user obtain authentication material associated...
CVE-2026-8407
CVE-2026-8407 affects Devolutions Server where the PAM module’s authorization is missing. An authenticated user with a PAM license but no additional permissions can craft requests to PAM API endpoints to retrieve OTP secret keys and recovery codes. Impacted versions include Devolutions Server 202...
CVE-2026-9223
CVE-2026-9223 affects Devolutions Server (versions 2026.1.16.0 and earlier) where the vault import feature has missing authorization. This allows a low-privileged authenticated user to create new vaults via a crafted import request. The provided documents do not include exploitation details, scop...
CVE-2026-9248
CVE-2026-9248 details an authorization bypass in Devolutions Server’s entry-duplication feature. An authenticated user with write access to any vault can craft a save request to copy documentation and attachments from an entry in a vault they cannot access. Affected versions include Devolutions S...
CVE-2025-13757
CVE-2025-13757 affects Devolutions Server. The issue is an SQL injection in the last usage logs, exploitable across affected builds through 2025.2.20 and 2025.3.8. CVSS v3.1 base score 8.8 (NETWORK, LOW complexity, LOW privileges, no user interaction). Impact is high on confidentiality, integrity...
CVE-2025-6523
CVE-2025-6523 affects Devolutions Server, where the emergency authentication component allows unauthenticated bypass via brute-forcing short emergency codes. Affected are Devolutions Server 2025.2.2.0–2025.2.3.0 and 2025.1.11.0 and earlier. Root cause is use of weak credentials in the emergency a...
CVE-2026-9047
CVE-2026-9047 concerns Devolutions Server for versions 2026.1.6.0 through 2026.1.16.0. The issue is described as improper handling of factor key state in the multi‑factor authentication management feature, enabling an attacker who knows a user’s password to bypass MFA after the user reconfigures ...
CVE-2025-11619
The CVE-2025-11619 entry affects Devolutions Server. Affected component: the server’s gateway connection path where improper certificate validation occurs during gateway connections. Root cause: improper certificate validation enables a man-in-the-middle position to intercept traffic when establi...
CVE-2025-13683
CVE-2025-13683 describes exposure of credentials via unintended requests in Devolutions Server and Devolutions Remote Desktop Manager on Windows. Affected versions: Devolutions Server up to 2025.3.8.0 and Remote Desktop Manager up to 2025.3.23.0. Impact is high confidentiality exposure over netwo...
CVE-2026-0610
CVE-2026-0610 is a SQL Injection vulnerability in the remote-sessions component of Devolutions Server. Affected versions are 2025.3.1 through 2025.3.12. The issue is caused by unsafely constructed SQL queries in the remote-sessions functionality, enabling an attacker to potentially read or modify...
CVE-2026-10544
This CVE (CVE-2026-10544) affects Devolutions Server, specifically versions 2026.2.4.0 and 2026.1.20.0 and earlier. The issue is described as improper neutralization of special elements in the built-in PAM provider password rotation templates, allowing an authenticated user with write access to a...
CVE-2025-11957
Devolutions Server (versions up to and including 2025.2.12.0) is affected by an improper authorization vulnerability in the temporary access workflow. An authenticated basic user can self-approve or approve others’ temporary access requests, enabling unauthorized access to vaults and entries via ...
CVE-2025-11958
Devolutions Server
CVE-2025-13765
CVE-2025-13765 affects Devolutions Server, where email service credentials are exposed to non-administrative users. Public details in connected documents specify affected versions as before 2025.2.21 and before 2025.3.9. The issue’s root cause is credential exposure in the email service, with mul...
CVE-2025-13758
CVE-2025-13758 is tied to Devolutions Server and describes exposure of credentials in unintended requests. The connected Nessus entry (DEVO-2025-0018) confirms this issue alongside related CVEs and states affected versions include Devolutions Server up to 2025.2.20 and up to 2025.3.8, respectivel...
CVE-2026-1007
CVE-2026-1007: Incorrect Authorization in Devolutions Server's virtual gateway component allows bypassing deny IP rules. Affected server versions: 2025.3.1–2025.3.12. CVSS v3.1 base score 7.6 (Network, Low attack complexity, High privileges required, Confidentiality Low, Integrity High, Availabil...
CVE-2026-3130
CVE-2026-3130 affects Devolutions Server 2025.3.15 and earlier. The issue is “improper enforcement of behavioral controls” that lets an authenticated user with delete permission delete a PAM account that is currently checked out when selected alongside at least one non-checked-out account in a bu...
CVE-2025-12485
CVE-2025-12485 affects Devolutions Server, with vulnerable cookie handling in pre-MFA flow. A low-privileged authenticated user can impersonate another account by replaying the pre-MFA cookie; MFA verification is not bypassed. Affected versions include Devolutions Server 2025.3.2.0–2025.3.5.0 and...
CVE-2026-4924
CVE-2026-4924 describes an improper authentication in the 2FA feature of Devolutions Server prior to 2026.1.12 (also before 2026.1.11 per advisories), where a remote actor with valid credentials can bypass MFA by reusing a partially authenticated session token, enabling unauthorized access to a v...
CVE-2026-5175
The Devolutions Server MFA management API is affected by improper access control (CVE-2026-5175) allowing an authenticated attacker to delete their own MFA factors, lowering protection to password-only authentication. Affected versions are 2026.1.6 through 2026.1.11; remediation per the public ad...
CVE-2026-11890
The CVE-2026-11890 entry concerns Devolutions Server versions 2026.1.21 and 2026.2.5, where improper access control in PAM account discovery allows an authenticated user to retrieve account discovery scan results. The connected documents confirm affected software and the root cause (in PAM accoun...
CVE-2026-3131
CVE-2026-3131 : Devolutions Server prior to 2025.3.14.0 suffers improper access control in multiple DVLS REST API endpoints, allowing an authenticated user with view-only permission to access sensitive connection data. Connected sources indicate remediation by upgrading to 2025.3.15.0 or later; o...
CVE-2026-4434
CVE-2026-4434: Improper certificate validation in PAM propagation WinRM connections enables a network attacker to perform a man-in-the-middle attack when TLS certificate verification is disabled. Documented across multiple feeds (Red Hat, EUVD, NVD, etc.) with a high impact concern (CVSS 8.1). Af...
CVE-2026-4828
Summary (CVE-2026-4828) : Devolutions Server prior to 2026.1.12 is affected by an improper authentication flaw in the OAuth login flow that enables a remote attacker with valid credentials to bypass MFA via a crafted login request. Affected versions include 2026.1.11 and earlier. The issue is mit...
CVE-2026-4829
Summary: CVE-2026-4829 affects Devolutions Server versions up to 2026.1.11 (and earlier) and relates to improper authentication in the external OAuth flow. An authenticated user can authenticate as other users, including administrators, by reusing a session code from an external authentication fl...
CVE-2026-4927
CVE-2026-4927 affects Devolutions Server. A flaw in the MFA feature allows users with user-management privileges to obtain other users’ OTP keys via an authenticated API request, exposing sensitive information. Affected versions are 2026.1.6 through 2026.1.11. No remediation details are provided ...
CVE-2026-9522
Summary (CVE-2026-9522): Improper access control in the PAM account discovery feature of Devolutions Server 2026.1.19 and earlier enables an authenticated user without administrative privileges to delete network discovery scan configurations. Affected product is Devolutions Server (version line n...
CVE-2025-12808
CVE-2025-12808 affects Devolutions Server. The vulnerability is due to improper access control that allows a View-only user to retrieve sensitive third-level nested fields (e.g., password lists custom values), potentially leading to password disclosure. Affected versions include Devolutions Serve...
CVE-2026-1768
CVE-2026-1768 describes a permission cache poisoning vulnerability in Devolutions Server that allows authenticated users to bypass permissions and access entries. Affected are Devolutions Server versions prior to 2025.3.15. The issue is confirmed across multiple sources and is addressed by upgrad...
CVE-2026-3204
CVE-2026-3204 describes an improper input validation in the error message page of Devolutions Server, enabling remote attackers to spoof the displayed error message via a specially crafted URL. Public references consistently cite Devolutions Server 2025.3.16 and earlier as affected; connected sou...
CVE-2026-3221
CVE-2026-3221 affects Devolutions Server, specifically versions 2025.3.14 and earlier. The root cause is unencrypted storage of sensitive user account information in the database, enabling an attacker with direct database access to obtain sensitive data. Impact is information disclosure; exploita...
CVE-2026-4989
The CVE-2026-4989 entry describes a vulnerability in Devolutions Server where improper input validation in the gateway health check enables a low-privilege authenticated user to trigger server-side request forgery (SSRF) and potentially disclose information. Affected versions include 2026.1.1–202...
CVE-2026-5146
CVE-2026-5146 targets Devolutions Server. The issue is improper access control in the notification management endpoints, allowing an unauthenticated attacker to modify or delete arbitrary user notification records due to missing session validation. Affected versions range from Devolutions Server ...
CVE-2026-12105
CVE-2026-12105 affects Devolutions Server in versions 2026.2.5 and 2026.1.21. The root cause is improper access control that allows an authenticated user to access attachments via folder duplication with inherited permissions. The documented impact is confidential data exposure (high) with a CVSS...
CVE-2026-12117
CVE-2026-12117 affects Devolutions Server 2026.2.5: improper access control in the social login connection endpoint allows an authenticated vault member to enumerate social login entry metadata they are not authorized to access via a crafted API request. CVSSv3.1 base score is 4.3 (Medium). The p...