Devolutions Server vulnerabilities
104 known vulnerabilities affecting devolutions/devolutions_server.
Total CVEs
104
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH26MEDIUM60LOW9UNKNOWN3
Vulnerabilities
Page 4 of 6
CVE-2025-1231P4MEDIUMCVSS 5.4fixed in 2024.3.11.02025-02-11
CVE-2025-1231 [MEDIUM] CWE-287 CVE-2025-1231: Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authen
Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user password after check-in due to crash in the password reset functionality.
nvd
CVE-2026-9590P4MEDIUMCVSS 5.3fixed in 2026.1.20.02026-06-02
CVE-2026-9590 [MEDIUM] CWE-284 CVE-2026-9590: Improper access control in the permission validation component in Devolutions Server 2026.1.19 and e
Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.
nvd
CVE-2025-3768P4MEDIUMCVSS 5.0≤ 2025.1.10.02025-06-05
CVE-2025-3768 [MEDIUM] CWE-284 CVE-2025-3768: Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlie
Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.
nvd
CVE-2026-4925P4MEDIUMCVSS 5.0≥ 2026.1.6.0, < 2026.1.12.02026-04-01
CVE-2026-4925 [MEDIUM] CWE-862 CVE-2026-4925: Improper access control in the users MFA feature in Devolutions Server allows an authenticated user
Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request.
This issue affects Server: from 2026.1.6 through 2026.1.11.
nvd
CVE-2021-28048P4MEDIUMCVSS 6.5fixed in 2020.3.18fixed in 2021.12021-04-14
CVE-2021-28048 [MEDIUM] CWE-346 CVE-2021-28048: An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS befo
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
nvd
CVE-2023-6264P4MEDIUMCVSS 5.3fixed in 2023.3.8.02023-11-22
CVE-2023-6264 [MEDIUM] CWE-200 CVE-2023-6264: Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauth
Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauthenticated attacker to list the configured Devolutions Gateways endpoints.
nvd
CVE-2026-9245P4MEDIUMCVSS 5.0fixed in 2025.3.22.0≥ 2026.1.6.0, < 2026.1.19.02026-05-22
CVE-2026-9245 [MEDIUM] CWE-601 CVE-2026-9245: Improper input validation in the external authentication provider flow in Devolutions Server allows
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
nvd
CVE-2023-5358P4MEDIUMCVSS 5.3fixed in 2023.3.4.0≤ 2023.2.10.02023-11-01
CVE-2023-5358 [MEDIUM] CVE-2023-5358: Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier
Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier allows attackers to retrieve logs from vaults or entries they are not allowed to access via the report request url query parameters.
nvd
CVE-2025-0691P4MEDIUMCVSS 5.0≤ 2025.1.10.02025-06-05
CVE-2025-0691 [MEDIUM] CWE-284 CVE-2025-0691: Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allow
Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.
nvd
CVE-2026-12117P4UNKNOWN≥ 2026.2.0, < 2026.2.52026-06-16
CVE-2026-12117 CWE-200 CVE-2026-12117: Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allo
Improper access control in the social login connection endpoint in
Devolutions Server 2026.2.5 allows an authenticated vault member to
enumerate social login entry metadata to which they are not authorized
via a crafted API request.
nvd
CVE-2024-1900P4MEDIUMCVSS 5.5≤ 2023.3.16.02024-03-05
CVE-2024-1900 [MEDIUM] CWE-613 CVE-2024-1900: Improper session management in the identity provider authentication flow in Devolutions Server 2023.
Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365.
The user will stay authenticated until the Devolutions Server
nvd
CVE-2024-12151P4MEDIUMCVSS 5.0fixed in 2024.3.9.02024-12-04
CVE-2024-12151 [MEDIUM] CWE-732 CVE-2024-12151: Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and e
Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets.
nvd
CVE-2026-11890P4UNKNOWNfixed in 2026.2.5fixed in 2026.1.212026-06-16
CVE-2026-11890 CWE-882 CVE-2026-11890: Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21
Improper access control in PAM account discovery results in Devolutions
Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve
account discovery scan results.
nvd
CVE-2026-5146P4MEDIUMCVSS 4.3fixed in 2025.3.20.0≥ 2026.1.6.0, < 2026.1.16.02026-05-12
CVE-2026-5146 [MEDIUM] CWE-862 CVE-2026-5146: Improper access control in the notification management endpoints in Devolutions Server allows an una
Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation.
This issue affects the following versions :
*
Devolutions Server 2026.1.6.0 through 2026.1.15.0
*
Devolutions Server 2025.3.19.0 and ear
nvd
CVE-2026-3221P4MEDIUMCVSS 4.9fixed in 2025.3.15.02026-02-25
CVE-2026-3221 [MEDIUM] CWE-312 CVE-2026-3221: Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14
Sensitive
user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with
access to the database to obtain sensitive user
information via direct database access.
nvd
CVE-2026-12105P4UNKNOWNfixed in 2026.2.5fixed in 2026.1.212026-06-16
CVE-2026-12105 CWE-862 CVE-2026-12105: Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to a
Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows
an authenticated user to access attachments via folder duplication with
inherited permissions.
nvd
CVE-2023-2445P4MEDIUMCVSS 4.9fixed in 2023.1.3.0≤ 2023.1.12023-05-02
CVE-2023-2445 [MEDIUM] CWE-346 CVE-2023-2445: Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earli
Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earlier allows attackers with administrator privileges to retrieve usage information on folders in user vaults via a specific folder name.
nvd
CVE-2026-10787P4MEDIUMCVSS 4.3fixed in 2026.1.21.0v2026.2.4.02026-06-08
CVE-2026-10787 [MEDIUM] CWE-862 CVE-2026-10787: Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated l
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.
This issue affects :
* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0 and earlier
nvd
CVE-2026-9224P4MEDIUMCVSS 4.3fixed in 2025.3.22.0≥ 2026.1.6.0, < 2026.1.19.02026-05-22
CVE-2026-9224 [MEDIUM] CWE-862 CVE-2026-9224: Missing authorization in the user profile update feature in Devolutions Server allows an authenticat
Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
nvd
CVE-2026-8407P4MEDIUMCVSS 4.3fixed in 2025.3.18.0≥ 2026.1.6.0, < 2026.1.12.02026-05-12
CVE-2026-8407 [MEDIUM] CWE-862 CVE-2026-8407: Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PA
Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.
This issue affects the following versions :
*
Devolutions Server 2026.1.6.0 through 2026.1.11.0
*
Devolutions Server 2
nvd