MAIN MENU

Security & compliance

Upholding the highest standards to protect your data and ensure trust.

DEVO-2026-0013

Devolutions Server is affected by multiple vulnerabilities.

Affected Products

Devolutions Server
2026.1.16.0 and earlier
Devolutions Server
2025.3.20.0 and earlier

Change Log

Initial publication - 2026-05-21

Multi-factor authentication bypass

7.5 High - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors.

CVE(s)

CVE-2026-9047

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher.

LDAP coercion exposing PAM provider authentication material

7.1 High - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server.

CVE(s)

CVE-2026-7325

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Credits

jtof_fap

Missing authorization on vault creation during import

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Missing authorization in the vault import feature in Devolutions Server allows a low-privileged authenticated user to create new vaults via a crafted import request.

CVE(s)

CVE-2026-9223

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher.

Pending Approval bypass via entry status change

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request.

CVE(s)

CVE-2026-9251

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Improper access control on entry activity logs

4.3 Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request.

CVE(s)

CVE-2026-5171

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Credits

Supr4s

Sealed entry notification bypass

2.7 Low - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request.

CVE(s)

CVE-2026-8477

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Credits

Supr4s

Missing authorization on user profile update

2.3 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.

CVE(s)

CVE-2026-9224

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Improper access control on sealed entry documentation and attachments

2.3 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.

CVE(s)

CVE-2026-9246

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Password change bypass without previous-password verification

2.3 Low - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request.

CVE(s)

CVE-2026-9249

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Open redirect in external authentication provider flow

2.1 Low - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.

CVE(s)

CVE-2026-9245

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Insufficient logging when exporting sealed entries

2.0 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request.

CVE(s)

CVE-2026-9247

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.

Authorization bypass on entry duplication

2.0 Low - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request.

CVE(s)

CVE-2026-9248

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.19.0 or higher, 2025.3.22.0 or higher.