Devolutions Server vulnerabilities
78 known vulnerabilities affecting devolutions/server.
Total CVEs
78
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH19MEDIUM46LOW8
Vulnerabilities
Page 2 of 4
CVE-2026-1007P3HIGHCVSS 7.6≥ 2025.3.1, ≤ 2025.3.122026-01-19
CVE-2026-1007 [HIGH] CWE-863 CVE-2026-1007: Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows atta
Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
nvd
CVE-2026-7325P3HIGHCVSS 7.1≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-7325 [HIGH] CWE-918 CVE-2026-7325: Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-p
Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* De
cvelistv5nvd
CVE-2026-3131P3MEDIUMCVSS 6.5fixed in 2025.3.152026-02-24
CVE-2026-3131 [MEDIUM] CWE-200 CVE-2026-3131: Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and
Improper
access control in multiple DVLS REST API endpoints in Devolutions
Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data.
nvd
CVE-2026-10544P3MEDIUMCVSS 6.5v2026.2.4.0≤ 2026.1.20.02026-06-08
CVE-2026-10544 [MEDIUM] CWE-78 CVE-2026-10544: Improper neutralization of special elements in the built-in PAM provider password rotation templates
Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider.
This issue affects :
* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0
nvd
CVE-2024-4846P3MEDIUMCVSS 6.3≤ 2024.1.14.02024-06-25
CVE-2024-4846 [MEDIUM] CWE-290 CVE-2024-4846: Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an aut
Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab.
nvd
CVE-2025-2003P3HIGHCVSS 7.1≤ 2024.3.12.02025-03-05
CVE-2025-2003 [HIGH] CWE-863 CVE-2025-2003: Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenti
Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission.
nvd
CVE-2025-8312P3HIGHCVSS 7.1≥ 2025.2.2.0, ≤ 2025.2.5.0≤ 2025.1.13.02025-07-30
CVE-2025-8312 [HIGH] CWE-833 CVE-2025-8312: Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid b
Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) :
*
Devolutions Server 2025.2.2.0 through 2025.2.5.0
* Devolutions Server 2025.1.12.0 and earlier
nvd
CVE-2025-12808P3MEDIUMCVSS 6.5≥ 2025.3.2.0, ≤ 2025.3.5.0≤ 2025.2.15.02025-11-06
CVE-2025-12808 [MEDIUM] CWE-284 CVE-2025-12808: Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nes
Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.
This issue affects the following versions :
* Devolutions Server 2025.3.2.0 through 2025.3.5.0
*
Devolutions Server 2025.2.15.0 and earlier
nvd
CVE-2026-6706P3MEDIUMCVSS 6.5≥ 2026.1.6.0, ≤ 2026.1.14.0≤ 2025.3.18.02026-04-28
CVE-2026-6706 [MEDIUM] CWE-862 CVE-2026-6706: Improper access control in the vault documentation feature in Devolutions Server allows an authent
Improper
access control in the vault documentation feature in Devolutions
Server allows an authenticated attacker to read documentation content
from unauthorized vaults via a crafted API request.
This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.
cvelistv5nvd
CVE-2026-10786P3MEDIUMCVSS 6.5v2026.2.4.0≤ 2026.1.20.02026-06-08
CVE-2026-10786 [MEDIUM] CWE-312 CVE-2026-10786: Improper access control in the ticketing integration settings in Devolutions Server allows an authen
Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request.
This issue affects :
* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0 and earlier
nvd
CVE-2025-13683P3MEDIUMCVSS 6.5≤ 2025.3.8.02025-11-28
CVE-2025-13683 [MEDIUM] CWE-200 CVE-2025-13683: Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Wind
Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.
nvd
CVE-2025-8353P3MEDIUMCVSS 5.9≤ 2025.2.4.02025-07-30
CVE-2025-8353 [MEDIUM] CWE-446 CVE-2025-8353: UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions
UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing.
nvd
CVE-2024-5072P3MEDIUMCVSS 6.5≤ 2024.1.11.02024-05-17
CVE-2024-5072 [MEDIUM] CVE-2024-5072: Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier
Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier allows an authenticated user with access to the PAM JIT elevation feature to manipulate the LDAP filter query via a specially crafted request.
nvd
CVE-2023-5575P3MEDIUMCVSS 6.5≤ 2022.3.13.02023-10-16
CVE-2023-5575 [MEDIUM] CVE-2023-5575: Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlie
Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compromised a low privileged user to access entries via a specific combination of permissions in the entry and in its parent.
nvd
CVE-2024-12196P3MEDIUMCVSS 6.5≤ 2024.3.7.02024-12-04
CVE-2024-12196 [MEDIUM] CWE-863 CVE-2024-12196: Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier all
Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.
nvd
CVE-2025-2278P3MEDIUMCVSS 6.5≤ 2024.3.132025-03-13
CVE-2025-2278 [MEDIUM] CWE-284 CVE-2025-2278: Improper access control in temporary access requests and checkout requests endpoints in Devolutions
Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.
nvd
CVE-2026-3638P3MEDIUMCVSS 5.9≤ 2025.3.11.02026-03-09
CVE-2026-3638 [MEDIUM] CWE-862 CVE-2026-3638: Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and
Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.
nvd
CVE-2025-4493P3MEDIUMCVSS 6.5≥ 2025.1.3.0, ≤ 2025.1.7.0≤ 2024.3.15.02025-05-28
CVE-2025-4493 [MEDIUM] CWE-266 CVE-2025-4493: Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to
Improper privilege assignment in PAM JIT privilege sets in Devolutions
Server allows a PAM user to perform PAM JIT
requests on unauthorized groups by exploiting a user interface issue.
This issue affects the following versions :
* Devolutions Server 2025.1.3.0 through 2025.1.7.0
* Devolutions Server 2024.3.15.0 and earlier
nvd
CVE-2026-4927P3MEDIUMCVSS 6.5≥ 2026.1.6, ≤ 2026.1.112026-04-01
CVE-2026-4927 [MEDIUM] CWE-201 CVE-2026-4927: Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with u
Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.
This issue affects Server: from 2026.1.6 through 2026.1.11.
nvd
CVE-2023-1603P3MEDIUMCVSS 6.5≤ 2022.3.132023-04-02
CVE-2023-1603 [MEDIUM] CWE-863 CVE-2023-1603: Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 202
Permission bypass when importing or synchronizing entries in User vault
in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision.
nvd