cbcvebase.

Devolutions Server vulnerabilities

104 known vulnerabilities affecting devolutions/devolutions_server.

Total CVEs
104
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH26MEDIUM60LOW9UNKNOWN3

Vulnerabilities

Page 4 of 6
CVE-2025-1231P4MEDIUMCVSS 5.4fixed in 2024.3.11.02025-02-11
CVE-2025-1231 [MEDIUM] CWE-287 CVE-2025-1231: Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authen Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user password after check-in due to crash in the password reset functionality.
nvd
CVE-2026-9590P4MEDIUMCVSS 5.3fixed in 2026.1.20.02026-06-02
CVE-2026-9590 [MEDIUM] CWE-284 CVE-2026-9590: Improper access control in the permission validation component in Devolutions Server 2026.1.19 and e Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.
nvd
CVE-2025-3768P4MEDIUMCVSS 5.0≤ 2025.1.10.02025-06-05
CVE-2025-3768 [MEDIUM] CWE-284 CVE-2025-3768: Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlie Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.
nvd
CVE-2026-4925P4MEDIUMCVSS 5.0≥ 2026.1.6.0, < 2026.1.12.02026-04-01
CVE-2026-4925 [MEDIUM] CWE-862 CVE-2026-4925: Improper access control in the users MFA feature in Devolutions Server allows an authenticated user Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request. This issue affects Server: from 2026.1.6 through 2026.1.11.
nvd
CVE-2021-28048P4MEDIUMCVSS 6.5fixed in 2020.3.18fixed in 2021.12021-04-14
CVE-2021-28048 [MEDIUM] CWE-346 CVE-2021-28048: An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS befo An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
nvd
CVE-2023-6264P4MEDIUMCVSS 5.3fixed in 2023.3.8.02023-11-22
CVE-2023-6264 [MEDIUM] CWE-200 CVE-2023-6264: Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauth Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauthenticated attacker to list the configured Devolutions Gateways endpoints.
nvd
CVE-2026-9245P4MEDIUMCVSS 5.0fixed in 2025.3.22.0≥ 2026.1.6.0, < 2026.1.19.02026-05-22
CVE-2026-9245 [MEDIUM] CWE-601 CVE-2026-9245: Improper input validation in the external authentication provider flow in Devolutions Server allows Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
nvd
CVE-2023-5358P4MEDIUMCVSS 5.3fixed in 2023.3.4.0≤ 2023.2.10.02023-11-01
CVE-2023-5358 [MEDIUM] CVE-2023-5358: Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier allows attackers to retrieve logs from vaults or entries they are not allowed to access via the report request url query parameters.
nvd
CVE-2025-0691P4MEDIUMCVSS 5.0≤ 2025.1.10.02025-06-05
CVE-2025-0691 [MEDIUM] CWE-284 CVE-2025-0691: Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allow Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.
nvd
CVE-2026-12117P4UNKNOWN≥ 2026.2.0, < 2026.2.52026-06-16
CVE-2026-12117 CWE-200 CVE-2026-12117: Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allo Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request.
nvd
CVE-2024-1900P4MEDIUMCVSS 5.5≤ 2023.3.16.02024-03-05
CVE-2024-1900 [MEDIUM] CWE-613 CVE-2024-1900: Improper session management in the identity provider authentication flow in Devolutions Server 2023. Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365. The user will stay authenticated until the Devolutions Server
nvd
CVE-2024-12151P4MEDIUMCVSS 5.0fixed in 2024.3.9.02024-12-04
CVE-2024-12151 [MEDIUM] CWE-732 CVE-2024-12151: Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and e Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets.
nvd
CVE-2026-11890P4UNKNOWNfixed in 2026.2.5fixed in 2026.1.212026-06-16
CVE-2026-11890 CWE-882 CVE-2026-11890: Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.
nvd
CVE-2026-5146P4MEDIUMCVSS 4.3fixed in 2025.3.20.0≥ 2026.1.6.0, < 2026.1.16.02026-05-12
CVE-2026-5146 [MEDIUM] CWE-862 CVE-2026-5146: Improper access control in the notification management endpoints in Devolutions Server allows an una Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and ear
nvd
CVE-2026-3221P4MEDIUMCVSS 4.9fixed in 2025.3.15.02026-02-25
CVE-2026-3221 [MEDIUM] CWE-312 CVE-2026-3221: Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access.
nvd
CVE-2026-12105P4UNKNOWNfixed in 2026.2.5fixed in 2026.1.212026-06-16
CVE-2026-12105 CWE-862 CVE-2026-12105: Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to a Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.
nvd
CVE-2023-2445P4MEDIUMCVSS 4.9fixed in 2023.1.3.0≤ 2023.1.12023-05-02
CVE-2023-2445 [MEDIUM] CWE-346 CVE-2023-2445: Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earli Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earlier allows attackers with administrator privileges to retrieve usage information on folders in user vaults via a specific folder name.
nvd
CVE-2026-10787P4MEDIUMCVSS 4.3fixed in 2026.1.21.0v2026.2.4.02026-06-08
CVE-2026-10787 [MEDIUM] CWE-862 CVE-2026-10787: Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated l Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
nvd
CVE-2026-9224P4MEDIUMCVSS 4.3fixed in 2025.3.22.0≥ 2026.1.6.0, < 2026.1.19.02026-05-22
CVE-2026-9224 [MEDIUM] CWE-862 CVE-2026-9224: Missing authorization in the user profile update feature in Devolutions Server allows an authenticat Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
nvd
CVE-2026-8407P4MEDIUMCVSS 4.3fixed in 2025.3.18.0≥ 2026.1.6.0, < 2026.1.12.02026-05-12
CVE-2026-8407 [MEDIUM] CWE-862 CVE-2026-8407: Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PA Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2
nvd