MAIN MENU

Security & compliance

Upholding the highest standards to protect your data and ensure trust.

DEVO-2026-0024

Devolutions Server is affected by multiple vulnerabilities.

Affected Products

Devolutions Server
2026.2.11 and earlier, 2026.1.22 and earlier

Change Log

Initial publication - 2026-07-14

Improper authorization on PAM SSH key and certificate retrieval endpoints

7.3 High - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Improper authorization in the PAM SSH key and certificate retrieval endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to disclose the private key of an SSH key or certificate PAM credential via a direct object reference to the credential identifier.

CVE(s)

CVE-2026-15637

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.23.0, 2026.2.12.0 or higher

Improper authorization on access request status endpoint allows self-approval

7.1 High - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoint, bypassing the required approver review.

CVE(s)

CVE-2026-15641

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.23.0, 2026.2.12.0 or higher

Credits

dorjoo

Insertion of Azure Key Vault client secret into Recovery Kit response file

2.0 Low - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Insertion of sensitive information into a file in the Recovery Kit response file generation feature in Devolutions Server 2026.1.22.0, 2026.2.11.0 allows an attacker with access to the generated response file to obtain the Azure Key Vault client secret in cleartext, even when the option to exclude sensitive data is selected.

CVE(s)

CVE-2026-15642

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.23.0, 2026.2.12.0 or higher

Improper authorization (IDOR) on secure messages deletion endpoint

3.1 Low - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Improper authorization in the secure messages deletion endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated user to delete another user's messages via a direct object reference to the message identifier.

CVE(s)

CVE-2026-15058

Remediation and Workarounds

Upgrade to Devolutions Server 2026.2.12, 2026.1.23 or higher

Credits

rizalyeswehack