CVE-2026-10787
published 2026-06-08CVE-2026-10787: Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user…
PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.15%
5.1th percentile
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | < 2026.1.21.0 | 2026.1.21.0 |
| devolutions | devolutions_server | — | — |
| devolutions | server | <= 2026.1.20.0 | — |
| devolutions | server | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.
ghsa_unreviewed·2026-06-08
CVE-2026-10787 [MEDIUM] CWE-862 Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.
This issue affects :
* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0 and earlier
VulDB
Devolutions Server up to 2026.1.20.0/2026.2.4.0 Deleted User Groups API authorization (DEVO-2026-0015)
vuldb·2026-06-08
CVE-2026-10787 [LOW] Devolutions Server up to 2026.1.20.0/2026.2.4.0 Deleted User Groups API authorization (DEVO-2026-0015)
A vulnerability marked as problematic has been reported in Devolutions Server up to 2026.1.20.0/2026.2.4.0. This affects an unknown function of the component Deleted User Groups API. This manipulation causes missing authorization.
The identification of this vulnerability is CVE-2026-10787. It is possible to initiate the attack remotely. There is no exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-08
Published