Security & compliance
Upholding the highest standards to protect your data and ensure trust.
DEVO-2026-0024
Devolutions Server is affected by multiple vulnerabilities.
Affected Products
Change Log
Initial publication - 2026-07-14
Improper authorization on PAM SSH key and certificate retrieval endpoints
7.3 High - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
Improper authorization in the PAM SSH key and certificate retrieval endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to disclose the private key of an SSH key or certificate PAM credential via a direct object reference to the credential identifier.
CVE(s)
CVE-2026-15637
Remediation and Workarounds
Upgrade to Devolutions Server 2026.1.23.0, 2026.2.12.0 or higher
Improper authorization on access request status endpoint allows self-approval
7.1 High - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoint, bypassing the required approver review.
CVE(s)
CVE-2026-15641
Remediation and Workarounds
Upgrade to Devolutions Server 2026.1.23.0, 2026.2.12.0 or higher
Credits
dorjoo
Insertion of Azure Key Vault client secret into Recovery Kit response file
2.0 Low - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Insertion of sensitive information into a file in the Recovery Kit response file generation feature in Devolutions Server 2026.1.22.0, 2026.2.11.0 allows an attacker with access to the generated response file to obtain the Azure Key Vault client secret in cleartext, even when the option to exclude sensitive data is selected.
CVE(s)
CVE-2026-15642
Remediation and Workarounds
Upgrade to Devolutions Server 2026.1.23.0, 2026.2.12.0 or higher
Improper authorization (IDOR) on secure messages deletion endpoint
3.1 Low - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Improper authorization in the secure messages deletion endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated user to delete another user's messages via a direct object reference to the message identifier.
CVE(s)
CVE-2026-15058
Remediation and Workarounds
Upgrade to Devolutions Server 2026.2.12, 2026.1.23 or higher
Credits
rizalyeswehack