Devolutions Server vulnerabilities
78 known vulnerabilities affecting devolutions/server.
Total CVEs
78
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH19MEDIUM46LOW8
Vulnerabilities
Page 3 of 4
CVE-2026-4829P4MEDIUMCVSS 5.4≤ 2026.1.112026-04-01
CVE-2026-4829 [MEDIUM] CWE-287 CVE-2026-4829: Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 an
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.
nvd
CVE-2025-5382P4MEDIUMCVSS 6.8≤ 2025.1.7.02025-06-05
CVE-2025-5382 [MEDIUM] CWE-284 CVE-2025-5382: Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a u
Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.
nvd
CVE-2026-9251P4MEDIUMCVSS 5.4≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-9251 [MEDIUM] CWE-862 CVE-2026-9251: Missing authorization in the entry status management feature in Devolutions Server allows a non-admi
Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Serv
cvelistv5nvd
CVE-2026-9522P4MEDIUMCVSS 5.4≤ 2026.1.192026-06-02
CVE-2026-9522 [MEDIUM] CWE-284 CVE-2026-9522: Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and ear
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
nvd
CVE-2026-5175P4MEDIUMCVSS 5.0≥ 2026.1.6, ≤ 2026.1.112026-04-01
CVE-2026-5175 [MEDIUM] CWE-862 CVE-2026-5175: Improper access control in the multi-factor authentication (MFA) management API in Devolutions Serve
Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.
This issue affects Server: from 2026.1.6 through 2026.1.11.
nvd
CVE-2025-1231P4MEDIUMCVSS 5.4≤ 2024.3.10.02025-02-11
CVE-2025-1231 [MEDIUM] CWE-287 CVE-2025-1231: Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authen
Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user password after check-in due to crash in the password reset functionality.
nvd
CVE-2026-9590P4MEDIUMCVSS 5.3≤ 2026.1.192026-06-02
CVE-2026-9590 [MEDIUM] CWE-284 CVE-2026-9590: Improper access control in the permission validation component in Devolutions Server 2026.1.19 and e
Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.
nvd
CVE-2025-3768P4MEDIUMCVSS 5.0≤ 2025.1.10.02025-06-05
CVE-2025-3768 [MEDIUM] CWE-284 CVE-2025-3768: Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlie
Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.
nvd
CVE-2026-4925P4MEDIUMCVSS 5.0≥ 2026.1.6, ≤ 2026.1.112026-04-01
CVE-2026-4925 [MEDIUM] CWE-862 CVE-2026-4925: Improper access control in the users MFA feature in Devolutions Server allows an authenticated user
Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request.
This issue affects Server: from 2026.1.6 through 2026.1.11.
nvd
CVE-2023-6264P4MEDIUMCVSS 5.3≤ 2023.3.72023-11-22
CVE-2023-6264 [MEDIUM] CWE-200 CVE-2023-6264: Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauth
Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauthenticated attacker to list the configured Devolutions Gateways endpoints.
nvd
CVE-2026-9245P4MEDIUMCVSS 5.0≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-9245 [MEDIUM] CWE-601 CVE-2026-9245: Improper input validation in the external authentication provider flow in Devolutions Server allows
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
cvelistv5nvd
CVE-2025-0691P4MEDIUMCVSS 5.0≤ 2025.1.10.02025-06-05
CVE-2025-0691 [MEDIUM] CWE-284 CVE-2025-0691: Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allow
Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.
nvd
CVE-2024-1900P4MEDIUMCVSS 5.5≤ 2023.3.14.02024-03-05
CVE-2024-1900 [MEDIUM] CWE-613 CVE-2024-1900: Improper session management in the identity provider authentication flow in Devolutions Server 2023.
Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365.
The user will stay authenticated until the Devolutions Server
nvd
CVE-2024-12151P4MEDIUMCVSS 5.0≤ 2024.3.8.02024-12-04
CVE-2024-12151 [MEDIUM] CWE-732 CVE-2024-12151: Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and e
Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets.
nvd
CVE-2026-5146P4MEDIUMCVSS 4.3≥ 2026.1.6.0, ≤ 2026.1.15.0≤ 2025.3.19.02026-05-12
CVE-2026-5146 [MEDIUM] CWE-862 CVE-2026-5146: Improper access control in the notification management endpoints in Devolutions Server allows an una
Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation.
This issue affects the following versions :
*
Devolutions Server 2026.1.6.0 through 2026.1.15.0
*
Devolutions Server 2025.3.19.0 and ear
nvd
CVE-2026-3221P4MEDIUMCVSS 4.9fixed in 2025.3.152026-02-25
CVE-2026-3221 [MEDIUM] CWE-312 CVE-2026-3221: Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14
Sensitive
user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with
access to the database to obtain sensitive user
information via direct database access.
nvd
CVE-2026-10787P4MEDIUMCVSS 4.3v2026.2.4.0≤ 2026.1.20.02026-06-08
CVE-2026-10787 [MEDIUM] CWE-862 CVE-2026-10787: Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated l
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.
This issue affects :
* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0 and earlier
nvd
CVE-2026-9224P4MEDIUMCVSS 4.3≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-9224 [MEDIUM] CWE-862 CVE-2026-9224: Missing authorization in the user profile update feature in Devolutions Server allows an authenticat
Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
cvelistv5nvd
CVE-2026-8407P4MEDIUMCVSS 4.3≥ 2026.1.6.0, ≤ 2026.1.11.0≤ 2025.3.16.02026-05-12
CVE-2026-8407 [MEDIUM] CWE-862 CVE-2026-8407: Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PA
Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.
This issue affects the following versions :
*
Devolutions Server 2026.1.6.0 through 2026.1.11.0
*
Devolutions Server 2
nvd
CVE-2026-5171P4MEDIUMCVSS 4.3≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-5171 [MEDIUM] CWE-284 CVE-2026-5171: Improper access control in the entry activity log feature in Devolutions Server allows an authentica
Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlie
cvelistv5nvd