CVE-2026-11890
published 2026-06-16CVE-2026-11890: Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery…
PriorityP429
EPSS
0.16%
5.8th percentile
Improper access control in PAM account discovery results in Devolutions
Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve
account discovery scan results.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | < 2026.2.5 | 2026.2.5 |
| devolutions | devolutions_server | < 2026.1.21 | 2026.1.21 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Devolutions Server up to 2026.1.20/2026.2.4 information disclosure (DEVO-2026-0017)
vuldb·2026-06-16
CVE-2026-11890 [LOW] Devolutions Server up to 2026.1.20/2026.2.4 information disclosure (DEVO-2026-0017)
A vulnerability described as problematic has been identified in Devolutions Server up to 2026.1.20/2026.2.4. This impacts an unknown function. Executing a manipulation can lead to information disclosure.
This vulnerability is handled as CVE-2026-11890. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is recommended.
GHSA
Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.
ghsa_unreviewed·2026-06-16
CVE-2026-11890 [MEDIUM] CWE-284 Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.
Improper access control in PAM account discovery results in Devolutions
Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve
account discovery scan results.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-16
Published