Vulnerability Details CVE-2026-8407
Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.
This issue affects the following versions :
*
Devolutions Server 2026.1.6.0 through 2026.1.11.0
*
Devolutions Server 2025.3.16.0 and earlier
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 6.7%
CVSS Severity
CVSS v3 Score 4.3
Products affected by CVE-2026-8407
-
cpe:2.3:a:devolutions:devolutions_server:-
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.14.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.15.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.16.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.17.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.18.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.19.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.20.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.1.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2019.2.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.1.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.1.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.1.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.1.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.1.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.2.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.2.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.2.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.2.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.3
-
cpe:2.3:a:devolutions:devolutions_server:2020.3.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.3.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.3.14.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.3.17.0
-
cpe:2.3:a:devolutions:devolutions_server:2020.3.18
-
cpe:2.3:a:devolutions:devolutions_server:2020.3.20
-
cpe:2.3:a:devolutions:devolutions_server:2020.3.21
-
cpe:2.3:a:devolutions:devolutions_server:2020.3.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.1
-
cpe:2.3:a:devolutions:devolutions_server:2021.1.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.1.17
-
cpe:2.3:a:devolutions:devolutions_server:2021.1.17.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.1.18
-
cpe:2.3:a:devolutions:devolutions_server:2021.1.19.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.1.20.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.1.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.1.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.2.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.2.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.2.14.0
-
cpe:2.3:a:devolutions:devolutions_server:2021.2.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.1.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.1.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.1.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.1.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.1.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.2.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.2.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.2.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.2.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.2.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.2.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.2.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.0.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.2
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2022.3.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.1.0.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.1.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.1.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.1.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.1.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.1.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.1.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.1.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.2.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.14.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.16.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.17.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.18.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2023.3.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.14.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.15.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.1.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.2.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.0.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.14.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.15.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.16.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.17.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2024.3.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.0.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.13.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.1.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.14.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.15.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.17.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.19.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.21.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.22.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.2.9.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.1.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.10.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.12.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.14.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.15.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.16.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.17
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.2.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.3.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2025.3.8.0
-
cpe:2.3:a:devolutions:devolutions_server:2026.1.11.0
-
cpe:2.3:a:devolutions:devolutions_server:2026.1.6.0
-
cpe:2.3:a:devolutions:devolutions_server:2026.1.7.0