MAIN MENU
Solutions

Packages

Remote desktop
management & IT operations

Boost productivity, decrease costs, and increase security with a centralized platform where you can manage a wide range of remote connections and tools.

Workforce password management

Improve your security strategy without reducing productivity by using a password management solution.

Privileged access
management

Diminish the risk of insider threats and cyberattacks while providing audit and compliance requirements for your team.

Remote access
management

Establish a secure entry point for internal or external segmented networks that require authorized just-in-time (JIT) access.

IT automation with PowerShell Universal

Streamline routine IT tasks and boost productivity with integrated scripting, orchestration, and reporting.

blue box
Starter pack

The whole power of Devolutions half price for teams of 5

Proof of concept: 100+ users?

Quick overview

Compliance

Your trusted partner in security and compliance.

Integration center

Unified solutions: seamless integrations with Devolutions

Compare our solution packages Visit store & get a quote
Products
Products
Devolutions
Remote Desktop Manager

The best remote connection manager in the industry

Devolutions Password Manager

All-in-one application to securely access, manage, and use your credentials.

UniGetUI
UniGetUI Open source

Discover, install, and update all your Windows packages

Devolutions PowerShell Universal
Devolutions PowerShell Universal

Automate remote management with dashboards and APIs

Privileged access
Devolutions PAM

Secure, rotate, and audit every privileged account across your infrastructure

Companion tools
Devolutions Gateway
Devolutions Gateway Secure remote access — no VPN required
Devolutions Launcher
Devolutions Launcher Remote connection launching tool
Devolutions Agent
Devolutions Agent System service to control privileged operations
Online service
Devolutions Send
Devolutions Send Sharing secrets made quick, secure, and simple
Start for free
Resources
Resources
Academy

Your FREE go-to hub for mastering Devolutions' suite of products and services.

Forum

The Devolutions Forum is the place to go to connect with your peers and the Devolutions team.

Documentation

Get answers to product specifications, settings and more on our documentation.

Blog

Stay up to date with our weekly articles on our blog, the toolbox for your IT success.

On-demand Lab
Success stories
Reports & White papers
Devolutions Force
Learn a quick tip in 5 minutes! Browse feature requests
Company
About
Devolutions Timeline Lifestyle
Media
Devolutions logo Wallpapers
Careers
Welcome Available positions Spontaneous applications
Newsroom
Press releases Newsletters In the news Webinars
Security & compliance
Security Advisories Trust center Legal & privacy Report a security issue
Contact
Send message Send message Call me Call me
Technical support Sales Contact information

Security & compliance

Upholding the highest standards to protect your data and ensure trust.

Back to listing

DEVO-2026-0010

Devolutions Server is affected by multiple vulnerabilities.

Affected Products

Devolutions Server
2026.1.11 and earlier
Devolutions Server
2025.3.17 and earlier

Change Log

Initial publication - 2026-04-01

Added CVE-2026-8407 (missing authorization on PAM endpoints) - 2026-05-12

User impersonation via in external OAuth authentication flow

8.7 High - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Improper authentication in the external OAuth authentication flow in Devolutions Server allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.

CVE(s)

CVE-2026-4829

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12.0 or higher, 2025.3.18 or higher.

Credits

jtof_fap

Bypass of secondary authentication factor

7.7 High - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Improper authentication in the OAuth login functionality in Devolutions Server allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.

CVE(s)

CVE-2026-4828, CVE-2026-4924

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12 or higher, 2025.3.18 or higher.

Missing authorization on PAM endpoints

7.1 High - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.

CVE(s)

CVE-2026-8407

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12 or higher, 2025.3.18 or higher.

MFA information returned to the user

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.

CVE(s)

CVE-2026-4927

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12 or higher.

MFA self-delete restriction bypass

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request.

CVE(s)

CVE-2026-4925, CVE-2026-5175

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12 or higher.

SSRF in Gateway health check route

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.

CVE(s)

CVE-2026-4989

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12 or higher, 2025.3.18 or higher.

Credits

truff