Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from Vendor (DEVOLUTIONS) · only source for this CVE.
CVSS VectorVendor: DEVOLUTIONS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.
This issue affects :
- Devolutions Server 2026.2.4.0
- Devolutions Server 2026.1.20.0 and earlier
AnalysisAI
Missing authorization on the deleted user groups API in Devolutions Server enables authenticated low-privileged users to enumerate metadata of deleted user groups via crafted API requests, bypassing intended access controls. Affected deployments include versions 2026.2.4.0 and 2026.1.20.0 and earlier, as confirmed by the vendor advisory DEVO-2026-0015. No public exploit exists and CISA SSVC confirms no active exploitation, placing this at low operational priority despite its network-accessible attack vector.
Technical ContextAI
The root cause is CWE-862 (Missing Authorization), a class of flaw where an application fails to enforce access control decisions on a specific API endpoint before executing sensitive operations. In this case, the Devolutions Server deleted user groups API does not verify whether the requesting principal holds the necessary permissions to retrieve group metadata, allowing any authenticated session - regardless of privilege level - to query that endpoint. Devolutions Server (CPE: cpe:2.3:a:devolutions:server) is an enterprise privileged access management and secrets vault platform; its API surface manages sensitive organizational structures including user group definitions. The deleted-groups endpoint is presumably intended for administrative review only, making the missing check a privilege boundary violation. The tag 'Authentication Bypass' from the source intelligence reflects the ability to circumvent the intended authorization boundary, though the attacker still requires a valid low-privileged credential.
RemediationAI
Apply the vendor-released patch per the Devolutions security advisory at https://devolutions.net/security/advisories/DEVO-2026-0015/. The specific fixed release version is not explicitly stated in the available data - patch version not independently confirmed from provided sources; consult the advisory directly for the exact upgrade target. As a compensating control prior to patching, restrict API access to the deleted user groups endpoint at the network perimeter or reverse proxy layer to administrative source IPs only; note this trade-off may break legitimate administrative workflows that access the endpoint remotely. Additionally, audit low-privileged account inventories in Devolutions Server to minimize the number of accounts capable of reaching internal APIs, reducing the pool of potential exploiting principals.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35183