Devolutions server
This hub aggregates every CVE we track for Devolutions server, a product in the consumer software space. Use it to gauge the current risk picture and drill into individual advisories.
92
CVEs tracked
6
Critical
24
High
0
In CISA KEV
Severity distribution
MEDIUM57HIGH24CRITICAL6LOW5
Monthly trend
0
1
0
1
3
0
1
4
0
4
3
4
0
0
3
6
0
2
3
5
8
2
9
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Devolutions server.
- CVE-2026-12755Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-si...2.7
- CVE-2026-12105Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.6.5
- CVE-2026-12117Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not ...4.3
- CVE-2026-11890Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.4.3
- CVE-2026-10544Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbit...6.5
- CVE-2026-10787Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This ...4.3
- CVE-2026-10786Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations...6.5
- CVE-2026-9522Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery s...5.4
- CVE-2026-9590Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information withou...5.3
- CVE-2026-5146Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session...4.3
- CVE-2026-8407Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted ...4.3
- CVE-2026-6706Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request...6.5
- CVE-2026-4989Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to ...4.3
- CVE-2026-5175Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account ...5.0
- CVE-2026-4925Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (M...5.0
Product normalization is registry-driven with AI assist and human review. How it works