Vulnerability Details CVE-2026-4989
Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.
This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 6.9%
CVSS Severity
CVSS v3 Score 4.3
Products affected by CVE-2026-4989
-
cpe:2.3:a:devolutions:devolutions_server:*
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.14.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.15.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.16.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.8.0