CVE-2026-12105
published 2026-06-16CVE-2026-12105: Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited…
PriorityP428high7.5
EPSS
0.20%
10.1th percentile
Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows
an authenticated user to access attachments via folder duplication with
inherited permissions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | < 2026.2.5 | 2026.2.5 |
| devolutions | devolutions_server | < 2026.1.21 | 2026.1.21 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Devolutions Server up to 2026.1.20/2026.2.4 Attachments authorization (DEVO-2026-0017 / EUVD-2026-37203)
vuldb·2026-06-16
CVE-2026-12105 [CRITICAL] Devolutions Server up to 2026.1.20/2026.2.4 Attachments authorization (DEVO-2026-0017 / EUVD-2026-37203)
A vulnerability classified as critical has been found in Devolutions Server up to 2026.1.20/2026.2.4. Affected is an unknown function of the component Attachments Handler. The manipulation leads to missing authorization.
This vulnerability is uniquely identified as CVE-2026-12105. The attack is possible to be carried out remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.
ghsa_unreviewed·2026-06-16
CVE-2026-12105 [MEDIUM] CWE-862 Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.
Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows
an authenticated user to access attachments via folder duplication with
inherited permissions.
No detection rules found.
No public exploits indexed.
2026-06-16
Published