CVE-2026-9245
published 2026-05-22CVE-2026-9245: Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to…
PriorityP429medium5CVSS 3.1
AVNACHPRNUIRSUCLILAL
EPSS
0.17%
6.6th percentile
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | < 2025.3.22.0 | 2025.3.22.0 |
| devolutions | devolutions_server | >= 2026.1.6.0 < 2026.1.19.0 | 2026.1.19.0 |
| devolutions | server | <= 2025.3.20.0 | — |
| devolutions | server | 2026.1.6.0 – 2026.1.16.0 | — |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
cvelistv5v3.15.0MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3v98-q7qw-m4cr: Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect vic
ghsa_unreviewed·2026-05-26
CVE-2026-9245 [MEDIUM] CWE-601 GHSA-3v98-q7qw-m4cr: Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect vic
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
VulDB
Devolutions Server up to 2025.3.20.0/2026.1.16.0 Login Link redirect (DEVO-2026-0013 / EUVD-2026-31459)
vuldb·2026-05-22
CVE-2026-9245 [LOW] Devolutions Server up to 2025.3.20.0/2026.1.16.0 Login Link redirect (DEVO-2026-0013 / EUVD-2026-31459)
A vulnerability described as problematic has been identified in Devolutions Server up to 2025.3.20.0/2026.1.16.0. Impacted is an unknown function of the component Login Link Handler. Such manipulation leads to open redirect.
This vulnerability is documented as CVE-2026-9245. The attack can be executed remotely. There is not any exploit available.
CVEList
CVE-2026-9245: Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect vic
cvelistv5·2026-05-22·CVSS 5.0
CVE-2026-9245 [MEDIUM] CWE-601 CVE-2026-9245: Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect vic
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published