Devolutions Server vulnerabilities
104 known vulnerabilities affecting devolutions/devolutions_server.
Total CVEs
104
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH26MEDIUM60LOW9UNKNOWN3
Vulnerabilities
Page 5 of 6
CVE-2026-5171P4MEDIUMCVSS 4.3fixed in 2025.3.22.0≥ 2026.1.6.0, < 2026.1.19.02026-05-22
CVE-2026-5171 [MEDIUM] CWE-284 CVE-2026-5171: Improper access control in the entry activity log feature in Devolutions Server allows an authentica
Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlie
nvd
CVE-2026-9246P4MEDIUMCVSS 4.3fixed in 2025.3.22.0≥ 2026.1.6.0, < 2026.1.19.02026-05-22
CVE-2026-9246 [MEDIUM] CWE-862 CVE-2026-9246: Improper access control in the entry documentation and attachment features in Devolutions Server all
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and e
nvd
CVE-2024-10971P4MEDIUMCVSS 4.3fixed in 2024.3.7.02024-11-12
CVE-2024-10971 [MEDIUM] CWE-200 CVE-2024-10971: Improper access control in the Password History feature in Devolutions DVLS 2024.3.6 and earlier all
Improper access control in the Password History feature in Devolutions DVLS 2024.3.6 and earlier allows a malicious authenticated user to obtain sensitive data via faulty permission.
nvd
CVE-2024-12148P4MEDIUMCVSS 4.3fixed in 2024.3.7.02024-12-04
CVE-2024-12148 [MEDIUM] CWE-863 CVE-2024-12148: Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earl
Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.
nvd
CVE-2026-4989P4MEDIUMCVSS 4.3≥ 2025.3.1.0, < 2025.3.18.0≥ 2026.1.1.0, < 2026.1.12.02026-04-01
CVE-2026-4989 [MEDIUM] CWE-918 CVE-2026-4989: Improper input validation in the gateway health check feature in Devolutions Server allows a low-pri
Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.
This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.
nvd
CVE-2026-9223P4MEDIUMCVSS 4.3fixed in 2026.1.19.02026-05-22
CVE-2026-9223 [MEDIUM] CWE-284 CVE-2026-9223: Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier all
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
nvd
CVE-2021-23925P4MEDIUMCVSS 6.1fixed in 2020.32021-04-01
CVE-2021-23925 [MEDIUM] CWE-79 CVE-2021-23925: An issue was discovered in Devolutions Server before 2020.3. There is a cross-site scripting (XSS) v
An issue was discovered in Devolutions Server before 2020.3. There is a cross-site scripting (XSS) vulnerability in entries of type Document.
nvd
CVE-2022-2316P4MEDIUMCVSS 5.4fixed in 2022.2≥ 2022.2, < 2022.22022-07-06
CVE-2022-2316 [MEDIUM] CWE-79 CVE-2022-2316: HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers
HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers to alter the rendering of the page or redirect a user to another site.
nvd
CVE-2025-13765P4MEDIUMCVSS 4.3fixed in 2025.2.21.0≥ 2025.3.2.0, < 2025.3.10.02025-11-27
CVE-2025-13765 [MEDIUM] CWE-200 CVE-2025-13765: Exposure of email service credentials to users without administrative rights in Devolutions Server.T
Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.
nvd
CVE-2026-1768P4MEDIUMCVSS 4.3fixed in 2025.3.15.0fixed in 2025.3.152026-02-24
CVE-2026-1768 [MEDIUM] CWE-863 CVE-2026-1768: A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypas
A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This issue affects Devolutions Server: before 2025.3.15.
nvd
CVE-2024-1898P4MEDIUMCVSS 4.3fixed in 2024.1.02024-03-05
CVE-2024-1898 [MEDIUM] CWE-284 CVE-2024-1898: Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier al
Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator.
nvd
CVE-2025-4316P4MEDIUMCVSS 4.3fixed in 2024.3.17.0≥ 2025.1.3.0, < 2025.1.7.02025-05-05
CVE-2025-4316 [MEDIUM] CWE-284 CVE-2025-4316: Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their
Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions.
This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.
nvd
CVE-2024-3545P4MEDIUMCVSS 4.3fixed in 2024.1.9.02024-04-09
CVE-2024-3545 [MEDIUM] CWE-281 CVE-2024-3545: Improper permission handling in the vault offline cache feature in Devolutions Remote Desktop Manage
Improper permission handling in the vault offline cache feature in Devolutions Remote Desktop Manager 2024.1.20 and earlier on windows and Devolutions Server 2024.1.8 and earlier allows an attacker to access sensitive informations contained in the offline cache file by gaining access to a computer where the software is installed even though the offlin
nvd
CVE-2024-1901P4MEDIUMCVSS 4.3≤ 2023.3.16.02024-03-05
CVE-2024-1901 [MEDIUM] CVE-2024-1901: Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3.
Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3.14.0 allows an authenticated user with specific PAM permissions to make PAM credentials unavailable.
nvd
CVE-2025-11958P4MEDIUMCVSS 4.1≤ 2025.2.15.02025-10-22
CVE-2025-11958 [MEDIUM] CWE-20 CVE-2025-11958: An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.
An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboard via a crafted request.
nvd
CVE-2024-2918P4LOWCVSS 3.6fixed in 2024.1.11.02024-04-09
CVE-2024-2918 [LOW] CVE-2024-2918: Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.6 and earlier al
Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM JIT elevation feature to forge the displayed group in the PAM JIT elevation checkout request via a specially crafted request.
nvd
CVE-2025-13758P4LOWCVSS 3.5fixed in 2025.2.21.0≥ 2025.3.2.0, < 2025.3.10.02025-11-27
CVE-2025-13758 [LOW] CWE-200 CVE-2025-13758: Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: thro
Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
nvd
CVE-2026-9249P4LOWCVSS 3.1fixed in 2025.3.22.0≥ 2026.1.6.0, < 2026.1.19.02026-05-22
CVE-2026-9249 [LOW] CWE-620 CVE-2026-9249: Unverified password change in Devolutions Server allows an attacker to change a user's password with
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
nvd
CVE-2026-12755P4LOWCVSS 2.7≥ 2026.2.4.0, < 2026.2.9.02026-06-25
CVE-2026-12755 [LOW] CWE-1284 CVE-2026-12755: Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 throug
Improper input validation in the PAM AD discovery endpoints in
Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated
user with the UserGroupsView permission to coerce server-side
authentication to an attacker-controlled host, exposing PAM provider
credentials as a NTLMv2 challenge-response, via a crafted DomainName
parameter.
nvd
CVE-2021-36382P4LOWCVSS 3.7fixed in 2020.3.20fixed in 2021.1.182021-07-12
CVE-2021-36382 [LOW] CWE-319 CVE-2021-36382: Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private
Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle attack against the connections/partial endpoint (which accepts cleartext).
nvd