CVE-2026-9223
published 2026-05-22CVE-2026-9223: Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.15%
4.8th percentile
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | < 2026.1.19.0 | 2026.1.19.0 |
| devolutions | server | <= 2026.1.16.0 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
cvelistv5v3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9mmr-r4fg-jmhx: Missing authorization in the vault import feature in Devolutions Server 2026
ghsa_unreviewed·2026-05-26
CVE-2026-9223 [MEDIUM] CWE-284 GHSA-9mmr-r4fg-jmhx: Missing authorization in the vault import feature in Devolutions Server 2026
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
VulDB
Devolutions Server up to 2026.1.16.0 Vault Import Feature access control (DEVO-2026-0013 / EUVD-2026-31455)
vuldb·2026-05-22
CVE-2026-9223 [CRITICAL] Devolutions Server up to 2026.1.16.0 Vault Import Feature access control (DEVO-2026-0013 / EUVD-2026-31455)
A vulnerability, which was classified as critical, was found in Devolutions Server up to 2026.1.16.0. This impacts an unknown function of the component Vault Import Feature. The manipulation results in improper access controls.
This vulnerability is known as CVE-2026-9223. It is possible to launch the attack remotely. No exploit is available.
CVEList
CVE-2026-9223: Missing authorization in the vault import feature in Devolutions Server 2026
cvelistv5·2026-05-22·CVSS 4.3
CVE-2026-9223 [MEDIUM] CWE-284 CVE-2026-9223: Missing authorization in the vault import feature in Devolutions Server 2026
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published