Shodan
Vulnerabilities
Vulnerable Software
Devolutions:  >> Devolutions Server  >> 2026.1.1.0  Security Vulnerabilities
CVE-2026-9522
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-06-02
CVE-2026-9590
Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-06-02
CVE-2026-9223
Missing authorization in the vault import feature in Devolutions Server  2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-05-22
CVE-2026-4828
Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
CVSS Score
8.2
EPSS Score
0.001
Published
2026-04-01
CVE-2026-4829
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-04-01
CVE-2026-4924
Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token.
CVSS Score
8.2
EPSS Score
0.0
Published
2026-04-01
CVE-2026-4989
Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-04-01
CVE-2026-4434
Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.
CVSS Score
8.1
EPSS Score
0.0
Published
2026-03-20


Products
Pricing
Contact Us

Shodan ® - All rights reserved