CVE-2026-9246
published 2026-05-22CVE-2026-9246: Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to…
PriorityP424medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.15%
4.8th percentile
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | < 2025.3.22.0 | 2025.3.22.0 |
| devolutions | devolutions_server | >= 2026.1.6.0 < 2026.1.19.0 | 2026.1.19.0 |
| devolutions | server | <= 2025.3.20.0 | — |
| devolutions | server | 2026.1.6.0 – 2026.1.16.0 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
cvelistv5v3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-66j7-xv33-vfjx: Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access t
ghsa_unreviewed·2026-05-26
CVE-2026-9246 [MEDIUM] CWE-862 GHSA-66j7-xv33-vfjx: Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access t
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
VulDB
Devolutions Server up to 2025.3.20.0/2026.1.16.0 API authorization (DEVO-2026-0013 / EUVD-2026-31458)
vuldb·2026-05-22
CVE-2026-9246 [CRITICAL] Devolutions Server up to 2025.3.20.0/2026.1.16.0 API authorization (DEVO-2026-0013 / EUVD-2026-31458)
A vulnerability was found in Devolutions Server up to 2025.3.20.0/2026.1.16.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component API. Such manipulation leads to missing authorization.
This vulnerability is uniquely identified as CVE-2026-9246. The attack can be launched remotely. No exploit exists.
CVEList
CVE-2026-9246: Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access t
cvelistv5·2026-05-22·CVSS 4.3
CVE-2026-9246 [MEDIUM] CWE-862 CVE-2026-9246: Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access t
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published