Devolutions: >> Devolutions Server >> 2023.2.1.0 Security Vulnerabilities
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-06-02
Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-06-02
Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
CVSS Score
5.4
EPSS Score
0.0
Published
2026-05-22
Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
CVSS Score
4.3
EPSS Score
0.0
Published
2026-05-22
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
CVSS Score
5.0
EPSS Score
0.001
Published
2026-05-22
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
CVSS Score
4.3
EPSS Score
0.0
Published
2026-05-22
Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
CVSS Score
2.4
EPSS Score
0.0
Published
2026-05-22
Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
CVSS Score
2.6
EPSS Score
0.0
Published
2026-05-22
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
CVSS Score
3.1
EPSS Score
0.0
Published
2026-05-22
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-05-22
Page 1