cbcvebase.

Devolutions Server vulnerabilities

104 known vulnerabilities affecting devolutions/devolutions_server.

Total CVEs
104
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH26MEDIUM60LOW9UNKNOWN3

Vulnerabilities

Page 3 of 6
CVE-2023-5575P3MEDIUMCVSS 6.5≤ 2022.3.13.02023-10-16
CVE-2023-5575 [MEDIUM] CVE-2023-5575: Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlie Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compromised a low privileged user to access entries via a specific combination of permissions in the entry and in its parent.
nvd
CVE-2023-0661P3MEDIUMCVSS 6.5≥ 2022.3.1.0, < 2022.3.10.0≤ 2022.3.92023-02-12
CVE-2023-0661 [MEDIUM] CWE-284 CVE-2023-0661: Improper access control in Devolutions Server allows an authenticated user to access unauthorized se Improper access control in Devolutions Server allows an authenticated user to access unauthorized sensitive data.
nvd
CVE-2024-12196P3MEDIUMCVSS 6.5fixed in 2024.3.8.02024-12-04
CVE-2024-12196 [MEDIUM] CWE-863 CVE-2024-12196: Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier all Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.
nvd
CVE-2022-3781P3MEDIUMCVSS 6.5fixed in 2022.3.2≤ 2022.3.12022-11-01
CVE-2022-3781 [MEDIUM] CWE-311 CVE-2022-3781: Dashlane password and Keepass Server password in My Account Settings are not encrypted in the datab Dashlane password and Keepass Server password in My Account Settings are not encrypted in the database in Devolutions Remote Desktop Manager 2022.2.26 and prior versions and Devolutions Server 2022.3.1 and prior versions which allows database users to read the data. This issue affects : Remote Desktop Manager 2022.2.26 and prior versions. Devolutions
nvd
CVE-2025-2278P3MEDIUMCVSS 6.5fixed in 2025.1.3.02025-03-13
CVE-2025-2278 [MEDIUM] CWE-284 CVE-2025-2278: Improper access control in temporary access requests and checkout requests endpoints in Devolutions Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.
nvd
CVE-2024-6512P3MEDIUMCVSS 6.5fixed in 2024.3.0≤ 2024.2.10.02024-09-25
CVE-2024-6512 [MEDIUM] CWE-863 CVE-2024-6512: Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 an Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restrictions, via the PAM access request approval mechanism.
nvd
CVE-2025-3517P3MEDIUMCVSS 6.3fixed in 2025.1.6.0≤ 2025.1.5.02025-05-01
CVE-2025-3517 [MEDIUM] CWE-266 CVE-2025-3517: Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and ear Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal account’s SID when updating the username.
nvd
CVE-2026-3638P3MEDIUMCVSS 5.9fixed in 2025.3.12.02026-03-09
CVE-2026-3638 [MEDIUM] CWE-862 CVE-2026-3638: Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.
nvd
CVE-2021-23924P3HIGHCVSS 7.5fixed in 2020.32021-04-01
CVE-2021-23924 [HIGH] CWE-532 CVE-2021-23924: An issue was discovered in Devolutions Server before 2020.3. There is an exposure of sensitive infor An issue was discovered in Devolutions Server before 2020.3. There is an exposure of sensitive information in diagnostic files.
nvd
CVE-2025-4493P3MEDIUMCVSS 6.5≤ 2024.3.15.0≥ 2025.1.3.0, ≤ 2025.1.7.02025-05-28
CVE-2025-4493 [MEDIUM] CWE-266 CVE-2025-4493: Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on unauthorized groups by exploiting a user interface issue. This issue affects the following versions : * Devolutions Server 2025.1.3.0 through 2025.1.7.0 * Devolutions Server 2024.3.15.0 and earlier
nvd
CVE-2026-4927P3MEDIUMCVSS 6.5≥ 2026.1.6.0, < 2026.1.12.02026-04-01
CVE-2026-4927 [MEDIUM] CWE-201 CVE-2026-4927: Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with u Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11.
nvd
CVE-2023-1201P3MEDIUMCVSS 6.5fixed in 2022.3.13≤ 2022.3.122023-03-10
CVE-2023-1201 [MEDIUM] CVE-2023-1201: Improper access control in the secure messages feature in Devolutions Server 2022.3.12 and below all Improper access control in the secure messages feature in Devolutions Server 2022.3.12 and below allows an authenticated attacker that possesses the message UUID to access the data it contains.
nvd
CVE-2023-0952P3MEDIUMCVSS 6.5≤ 2022.3.122023-03-01
CVE-2023-0952 [MEDIUM] CWE-863 CVE-2023-0952: Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an auth Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data without proper authorization.
nvd
CVE-2023-1603P3MEDIUMCVSS 6.5fixed in 2023.1.3.02023-04-02
CVE-2023-1603 [MEDIUM] CWE-863 CVE-2023-1603: Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 202 Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision.
nvd
CVE-2026-4829P4MEDIUMCVSS 5.4fixed in 2026.1.12.02026-04-01
CVE-2026-4829 [MEDIUM] CWE-287 CVE-2026-4829: Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 an Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.
nvd
CVE-2025-5382P4MEDIUMCVSS 6.8fixed in 2025.1.9.02025-06-05
CVE-2025-5382 [MEDIUM] CWE-284 CVE-2025-5382: Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a u Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.
nvd
CVE-2026-9251P4MEDIUMCVSS 5.4fixed in 2025.3.22.0≥ 2026.1.6.0, < 2026.1.19.02026-05-22
CVE-2026-9251 [MEDIUM] CWE-862 CVE-2026-9251: Missing authorization in the entry status management feature in Devolutions Server allows a non-admi Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Serv
nvd
CVE-2026-9522P4MEDIUMCVSS 5.4fixed in 2026.1.20.02026-06-02
CVE-2026-9522 [MEDIUM] CWE-284 CVE-2026-9522: Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and ear Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
nvd
CVE-2026-5175P4MEDIUMCVSS 5.0≥ 2026.1.6.0, < 2026.1.12.02026-04-01
CVE-2026-5175 [MEDIUM] CWE-862 CVE-2026-5175: Improper access control in the multi-factor authentication (MFA) management API in Devolutions Serve Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. This issue affects Server: from 2026.1.6 through 2026.1.11.
nvd
CVE-2023-2118P4MEDIUMCVSS 5.4fixed in 2023.1.6.02023-04-21
CVE-2023-2118 [MEDIUM] CVE-2023-2118: Insufficient access control in support ticket feature in Devolutions Server 2023.1.5.0 and below all Insufficient access control in support ticket feature in Devolutions Server 2023.1.5.0 and below allows an authenticated attacker to send support tickets and download diagnostic files via specific endpoints.
nvd
Devolutions Server vulnerabilities | cvebase