Devolutions Server
74 CVEs affecting Devolutions Server. Latest disclosed: 2026-06-02. Critical: 0, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-9047 | High | 7.6 | 2026-05-22 | Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's… |
CVE-2026-7325 | High | 7.1 | 2026-05-22 | Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication mater… |
CVE-2026-6706 | Medium | 6.5 | 2026-04-28 | Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unautho… |
CVE-2026-9522 | Medium | 5.4 | 2026-06-02 | Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative pr… |
CVE-2026-9251 | Medium | 5.4 | 2026-05-22 | Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-en… |
CVE-2026-9590 | Medium | 5.3 | 2026-06-02 | Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privile… |
CVE-2026-9245 | Medium | 5.0 | 2026-05-22 | Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to a… |
CVE-2026-9246 | Medium | 4.3 | 2026-05-22 | Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retriev… |
CVE-2026-9224 | Medium | 4.3 | 2026-05-22 | Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attrib… |
CVE-2026-9223 | Medium | 4.3 | 2026-05-22 | Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vault… |
CVE-2026-5171 | Medium | 4.3 | 2026-05-22 | Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required p… |
CVE-2026-5146 | Medium | 4.3 | 2026-05-12 | Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user no… |
CVE-2026-8407 | Medium | 4.3 | 2026-05-12 | Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secre… |
CVE-2026-9249 | Low | 3.1 | 2026-05-22 | Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password chang… |
CVE-2026-8477 | Low | 2.7 | 2026-05-22 | Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access… |
CVE-2026-9248 | Low | 2.6 | 2026-05-22 | Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation a… |
CVE-2026-9247 | Low | 2.4 | 2026-05-22 | Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without tr… |
CVE-2026-4989 | | 2026-04-01 | Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request f… | |
CVE-2026-5175 | | 2026-04-01 | Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own conf… | |
CVE-2026-4925 | | 2026-04-01 | Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove th… |