MAIN MENU
Solutions

Packages

Remote desktop
management & IT operations

Boost productivity, decrease costs, and increase security with a centralized platform where you can manage a wide range of remote connections and tools.

Workforce password management

Improve your security strategy without reducing productivity by using a password management solution.

Privileged access
management

Diminish the risk of insider threats and cyberattacks while providing audit and compliance requirements for your team.

Remote access
management

Establish a secure entry point for internal or external segmented networks that require authorized just-in-time (JIT) access.

IT automation with PowerShell Universal

Streamline routine IT tasks and boost productivity with integrated scripting, orchestration, and reporting.

Devolutions
Remote Desktop Manager Free

Best all-in-one remote connection and credential management tool for independent IT users

blue box
Starter pack

The whole power of Devolutions half price for teams of 5

Proof of concept: 100+ users?

Quick overview

Compliance

Your trusted partner in security and compliance.

Integration center

Unified solutions: seamless integrations with Devolutions

Compare our solution packages Visit store & get a quote
Products
Products
Devolutions
Remote Desktop Manager

The best remote connection manager in the industry

Devolutions Workspace

Improve your security strategy without reducing productivity by using a password management solution.

UniGetUI
UniGetUI Open source

Discover, install, and update all your Windows packages

Devolutions PowerShell Universal
Devolutions PowerShell Universal

Automate remote management with dashboards and APIs

Privileged access
Devolutions PAM

Secure, rotate, and audit every privileged account across your infrastructure

Vaults
Devolutions Server Self-hosted
Self-hosted credential manager
Devolutions Cloud Cloud-hosted
Cloud-hosted password manager
Companion tools
Devolutions Gateway
Devolutions Gateway Secure remote access — no VPN required
Devolutions Launcher
Devolutions Launcher Remote connection launching tool
Devolutions Agent
Devolutions Agent System service to control privileged operations
Online service
Devolutions Send
Devolutions Send Sharing secrets made quick, secure, and simple
Discover Remote Desktop Manager Free See more free tools for individual users
Resources
Resources
Academy

Your FREE go-to hub for mastering Devolutions' suite of products and services.

Forum

The Devolutions Forum is the place to go to connect with your peers and the Devolutions team.

Documentation

Get answers to product specifications, settings and more on our documentation.

Blog

Stay up to date with our weekly articles on our blog, the toolbox for your IT success.

On-demand Lab
Success stories
Reports & White papers
Devolutions Force
Learn a quick tip in 5 minutes! Browse feature requests
Company
About
Devolutions Timeline Lifestyle
Media
Devolutions logo Wallpapers
Careers
Welcome Available positions Spontaneous applications
Newsroom
Press releases Newsletters In the news
Security & compliance
Security Advisories Trust center Legal & privacy Report a security issue
Contact
Send message Send message Call me Call me
Technical support Sales Contact information

Security & compliance

Upholding the highest standards to protect your data and ensure trust.

Back to listing

DEVO-2026-0013

Devolutions Server is affected by multiple vulnerabilities.

Affected Products

Devolutions Server
2026.1.16.0 and earlier
Devolutions Server
2025.3.20.0 and earlier

Change Log

Initial publication - 2026-05-21

7.5 High - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Multi-factor authentication bypass

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors.

Affected Products

CVE(s)

CVE-2026-9047

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher.

7.1 High - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

LDAP coercion exposing PAM provider authentication material

Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server.

Affected Products

CVE(s)

CVE-2026-7325

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Credits

jtof_fap

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Missing authorization on vault creation during import

Missing authorization in the vault import feature in Devolutions Server allows a low-privileged authenticated user to create new vaults via a crafted import request.

Affected Products

CVE(s)

CVE-2026-9223

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher.

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Pending Approval bypass via entry status change

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request.

Affected Products

CVE(s)

CVE-2026-9251

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

4.3 Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Improper access control on entry activity logs

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request.

Affected Products

CVE(s)

CVE-2026-5171

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Credits

Supr4s

2.7 Low - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Sealed entry notification bypass

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request.

Affected Products

CVE(s)

CVE-2026-8477

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Credits

Supr4s

2.3 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Missing authorization on user profile update

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.

Affected Products

CVE(s)

CVE-2026-9224

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

2.3 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Improper access control on sealed entry documentation and attachments

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.

Affected Products

CVE(s)

CVE-2026-9246

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

2.3 Low - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Password change bypass without previous-password verification

Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request.

Affected Products

CVE(s)

CVE-2026-9249

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

2.1 Low - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Open redirect in external authentication provider flow

Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.

Affected Products

CVE(s)

CVE-2026-9245

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

2.0 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Insufficient logging when exporting sealed entries

Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request.

Affected Products

CVE(s)

CVE-2026-9247

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

2.0 Low - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Authorization bypass on entry duplication

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request.

Affected Products

CVE(s)

CVE-2026-9248

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.