Devolutions server

This hub aggregates every CVE we track for Devolutions server. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Devolutions server.

• CVE-2026-12105Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.6.5Jun 16, 2026
• CVE-2026-12117Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not ...4.3Jun 16, 2026
• CVE-2026-11890Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.4.3Jun 16, 2026
• CVE-2026-10544Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbit...6.5Jun 8, 2026
• CVE-2026-10787Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This ...4.3Jun 8, 2026
• CVE-2026-10786Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations...6.5Jun 8, 2026
• CVE-2026-9522Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery s...5.4Jun 2, 2026
• CVE-2026-9590Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information withou...5.3Jun 2, 2026
• CVE-2026-5146Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session...4.3May 12, 2026
• CVE-2026-8407Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted ...4.3May 12, 2026
• CVE-2026-6706Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request...6.5Apr 28, 2026
• CVE-2026-4989Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to ...4.3Apr 1, 2026
• CVE-2026-5175Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account ...5.0Apr 1, 2026
• CVE-2026-4925Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (M...5.0Apr 1, 2026
• CVE-2026-4927Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. Thi...6.5Apr 1, 2026