CVE-2026-9590
published 2026-06-02CVE-2026-9590: Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.18%
8.2th percentile
Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | < 2026.1.20.0 | 2026.1.20.0 |
| devolutions | server | <= 2026.1.19 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Devolutions Server up to 2026.1.19 Permission Validation access control (DEVO-2026-0014 / EUVD-2026-33935)
vuldb·2026-06-02·CVSS 5.3
CVE-2026-9590 [MEDIUM] Devolutions Server up to 2026.1.19 Permission Validation access control (DEVO-2026-0014 / EUVD-2026-33935)
A vulnerability has been found in Devolutions Server up to 2026.1.19 and classified as critical. Affected is an unknown function of the component Permission Validation. This manipulation causes improper access controls.
This vulnerability appears as CVE-2026-9590. The attack may be initiated remotely. There is no available exploit.
GHSA
Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without t
ghsa_unreviewed·2026-06-02
CVE-2026-9590 [MEDIUM] CWE-284 Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without t
Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-02
Published