cbcvebase.

Devolutions Server vulnerabilities

78 known vulnerabilities affecting devolutions/server.

Total CVEs
78
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH19MEDIUM46LOW8

Vulnerabilities

Page 4 of 4
CVE-2026-9246P4MEDIUMCVSS 4.3≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-9246 [MEDIUM] CWE-862 CVE-2026-9246: Improper access control in the entry documentation and attachment features in Devolutions Server all Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and e
cvelistv5nvd
CVE-2024-12148P4MEDIUMCVSS 4.3≤ 2024.3.6.02024-12-04
CVE-2024-12148 [MEDIUM] CWE-863 CVE-2024-12148: Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earl Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.
nvd
CVE-2026-4989P4MEDIUMCVSS 4.3≥ 2026.1.1, ≤ 2026.1.11≥ 2025.3.1, ≤ 2025.3.172026-04-01
CVE-2026-4989 [MEDIUM] CWE-918 CVE-2026-4989: Improper input validation in the gateway health check feature in Devolutions Server allows a low-pri Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.
nvd
CVE-2026-9223P4MEDIUMCVSS 4.3≤ 2026.1.16.02026-05-22
CVE-2026-9223 [MEDIUM] CWE-284 CVE-2026-9223: Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier all Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
cvelistv5nvd
CVE-2025-13765P4MEDIUMCVSS 4.3fixed in 2025.2.21fixed in 2025.3.92025-11-27
CVE-2025-13765 [MEDIUM] CWE-200 CVE-2025-13765: Exposure of email service credentials to users without administrative rights in Devolutions Server.T Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.
nvd
CVE-2024-1898P4MEDIUMCVSS 4.3≤ 2023.3.14.02024-03-05
CVE-2024-1898 [MEDIUM] CWE-284 CVE-2024-1898: Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier al Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator.
nvd
CVE-2025-4316P4MEDIUMCVSS 4.3≥ 2025.1.3.0, ≤ 2025.1.6.0≤ 2024.3.15.02025-05-05
CVE-2025-4316 [MEDIUM] CWE-284 CVE-2025-4316: Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.
nvd
CVE-2024-3545P4MEDIUMCVSS 4.3≤ 2024.1.8.02024-04-09
CVE-2024-3545 [MEDIUM] CWE-281 CVE-2024-3545: Improper permission handling in the vault offline cache feature in Devolutions Remote Desktop Manage Improper permission handling in the vault offline cache feature in Devolutions Remote Desktop Manager 2024.1.20 and earlier on windows and Devolutions Server 2024.1.8 and earlier allows an attacker to access sensitive informations contained in the offline cache file by gaining access to a computer where the software is installed even though the offlin
nvd
CVE-2024-1901P4MEDIUMCVSS 4.3≤ 2023.3.14.02024-03-05
CVE-2024-1901 [MEDIUM] CVE-2024-1901: Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3. Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3.14.0 allows an authenticated user with specific PAM permissions to make PAM credentials unavailable.
nvd
CVE-2025-11958P4MEDIUMCVSS 4.1≤ 2025.2.15.02025-10-22
CVE-2025-11958 [MEDIUM] CWE-20 CVE-2025-11958: An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025. An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboard via a crafted request.
nvd
CVE-2024-2918P4LOWCVSS 3.6≤ 2024.1.10.02024-04-09
CVE-2024-2918 [LOW] CVE-2024-2918: Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.6 and earlier al Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM JIT elevation feature to forge the displayed group in the PAM JIT elevation checkout request via a specially crafted request.
nvd
CVE-2025-13758P4LOWCVSS 3.5≤ 2025.2.202025-11-27
CVE-2025-13758 [LOW] CWE-200 CVE-2025-13758: Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: thro Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
nvd
CVE-2026-9249P4LOWCVSS 3.1≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-9249 [LOW] CWE-620 CVE-2026-9249: Unverified password change in Devolutions Server allows an attacker to change a user's password with Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
cvelistv5nvd
CVE-2026-12755P4LOWCVSS 2.7≥ 2026.2.4.0, < 2026.2.7.02026-06-25
CVE-2026-12755 [LOW] CWE-1284 CVE-2026-12755: Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 throug Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.
nvd
CVE-2026-9248P4LOWCVSS 2.6≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-9248 [LOW] CWE-639 CVE-2026-9248: Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and
cvelistv5nvd
CVE-2026-8477P4LOWCVSS 2.7≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-8477 [LOW] CWE-841 CVE-2026-8477: Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in D Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16
cvelistv5nvd
CVE-2023-2400P4LOWCVSS 2.7≤ 2023.1.82023-06-20
CVE-2023-2400 [LOW] CWE-459 CVE-2023-2400: Improper deletion of resource in the user management feature in Devolutions Server 2023.1.8 and ear Improper deletion of resource in the user management feature in Devolutions Server 2023.1.8 and earlier allows an administrator to view users vaults of deleted users via database access.
nvd
CVE-2026-9247P4LOWCVSS 2.4≥ 2026.1.6.0, ≤ 2026.1.16.0≤ 2025.3.20.02026-05-22
CVE-2026-9247 [LOW] CWE-778 CVE-2026-9247: Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earli
cvelistv5nvd
Devolutions Server vulnerabilities | cvebase