CVE-2026-9522
published 2026-06-02CVE-2026-9522: Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative…
PriorityP432medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.14%
3.6th percentile
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | < 2026.1.20.0 | 2026.1.20.0 |
| devolutions | server | <= 2026.1.19 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan
ghsa_unreviewed·2026-06-02
CVE-2026-9522 [MEDIUM] CWE-284 Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
VulDB
Devolutions Server up to 2026.1.19 PAM Account Discovery Feature access control (DEVO-2026-0014 / EUVD-2026-33937)
vuldb·2026-06-02·CVSS 5.4
CVE-2026-9522 [MEDIUM] Devolutions Server up to 2026.1.19 PAM Account Discovery Feature access control (DEVO-2026-0014 / EUVD-2026-33937)
A vulnerability was found in Devolutions Server up to 2026.1.19. It has been classified as critical. This impacts an unknown function of the component PAM Account Discovery Feature. This manipulation causes improper access controls.
This vulnerability is handled as CVE-2026-9522. The attack can be initiated remotely. There is not any exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-02
Published