Skip to main content

Devolutions Server CVE-2026-10544

| EUVDEUVD-2026-35184 MEDIUM
OS Command Injection (CWE-78)
2026-06-08 DEVOLUTIONS
6.5
CVSS 3.1 · Vendor: DEVOLUTIONS
Share

Severity by source

Vendor (DEVOLUTIONS) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from Vendor (DEVOLUTIONS) · only source for this CVE.

CVSS VectorVendor: DEVOLUTIONS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 21:23 vuln.today
CVSS changed
Jun 08, 2026 - 21:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 08, 2026 - 18:26 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider.

This issue affects :

  • Devolutions Server 2026.2.4.0
  • Devolutions Server 2026.1.20.0 and earlier

AnalysisAI

Command injection (CWE-78) in Devolutions Server's built-in PAM provider password rotation templates allows an attacker with vault write access to execute arbitrary OS commands on systems managed by the affected PAM provider. Affected versions include 2026.2.4.0 and all releases at or below 2026.1.20.0, reported directly by the vendor Devolutions. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the high-value nature of a PAM platform managing privileged credentials on downstream systems means the practical blast radius substantially exceeds what the CVSS C:L/I:L scores suggest.

Technical ContextAI

CWE-78 (Improper Neutralization of Special Elements used in an OS Command) describes a failure to sanitize user-controlled input before it is passed to an OS command interpreter. In this case, the vulnerable surface is the built-in PAM (Privileged Access Management) provider's password rotation template engine within Devolutions Server - a centralized secrets and privileged access platform. Password rotation templates define how credentials are cycled on managed systems; if special characters or shell metacharacters embedded in template fields are not neutralized, an attacker can inject arbitrary commands that execute in the context of the process performing the rotation. The HashiCorp tag in the intelligence record suggests that HashiCorp Vault-integrated workflows or HashiCorp-style PAM provider configurations may be specifically implicated, though the vulnerability is described as affecting the built-in PAM provider templates. The CPE string cpe:2.3:a:devolutions:server:*:*:*:*:*:*:*:* covers all Devolutions Server versions under NVD tracking.

RemediationAI

Patch available per vendor advisory at https://devolutions.net/security/advisories/DEVO-2026-0015/ - the specific patched version number is not identified in the available intelligence and must be confirmed directly from the Devolutions advisory before upgrading. Organizations should consult the advisory to determine the minimum safe release and apply it promptly. As an interim compensating control, restrict vault write permissions to the minimum required set of users and service accounts, specifically limiting who can create or modify PAM provider password rotation templates. Disabling or removing unused built-in PAM provider integrations (particularly HashiCorp-linked configurations if not in use) reduces exposure until patching is complete. Monitor Devolutions Server audit logs for unexpected template modifications or password rotation events as a detection measure. Note that restricting vault write access may impact legitimate automated password rotation workflows and should be coordinated with PAM administrators.

More in Server

View all
CVE-2018-1000881 CRITICAL POC
9.8 Dec 20

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2021-42973 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl

CVE-2021-42972 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2023-30223 HIGH POC
7.5 Jun 16

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen

CVE-2023-30222 HIGH POC
7.5 Jun 16

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2017-7855 MEDIUM POC
6.1 Aug 31

In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet

CVE-2022-39395 CRITICAL
9.9 Nov 10

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se

Share

CVE-2026-10544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy