CVE-2026-6706
published 2026-04-28CVE-2026-6706: Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from…
PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.20%
10.1th percentile
Improper
access control in the vault documentation feature in Devolutions
Server allows an authenticated attacker to read documentation content
from unauthorized vaults via a crafted API request.
This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | < 2025.3.19.0 | 2025.3.19.0 |
| devolutions | devolutions_server | >= 2026.1.6.0 < 2026.1.15.0 | 2026.1.15.0 |
| devolutions | server | <= 2025.3.18.0 | — |
| devolutions | server | <= 2026.1.14.0 | — |
| devolutions | server | 2026.1.6.0 – 2026.1.14.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Devolutions Server up to 2026.1.14.0 API authorization (DEVO-2026-0011)
vuldb·2026-04-28
CVE-2026-6706 [LOW] Devolutions Server up to 2026.1.14.0 API authorization (DEVO-2026-0011)
A vulnerability categorized as problematic has been discovered in Devolutions Server up to 2026.1.14.0. Affected by this issue is some unknown functionality of the component API Handler. The manipulation results in missing authorization.
This vulnerability is identified as CVE-2026-6706. The attack can be executed remotely. There is not any exploit available.
GHSA
GHSA-vhw7-g2fh-rfg8: Improper
access control in the vault documentation feature in Devolutions Server
2026
ghsa_unreviewed·2026-04-28
CVE-2026-6706 [MEDIUM] CWE-862 GHSA-vhw7-g2fh-rfg8: Improper
access control in the vault documentation feature in Devolutions Server
2026
Improper
access control in the vault documentation feature in Devolutions Server
2026.1.14.0 and earlier allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request.
CVEList
CVE-2026-6706: Improper
access control in the vault documentation feature in Devolutions Server
2026
cvelistv5·2026-04-28
CVE-2026-6706 CWE-862 CVE-2026-6706: Improper
access control in the vault documentation feature in Devolutions Server
2026
Improper
access control in the vault documentation feature in Devolutions Server
2026.1.14.0 and earlier allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-28
Published