Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Local file access is the attack vector; PR:N reflects the attacker needing no Devolutions Server privileges, only file access; C:L because a single Azure credential is exposed with no integrity or availability impact.
Primary rating from Vendor (DEVOLUTIONS).
CVSS VectorVendor: DEVOLUTIONS
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insertion of sensitive information into a file in the Recovery Kit response file generation feature in Devolutions Server 2026.1.22.0, 2026.2.11.0 allows an attacker with access to the generated response file to obtain the Azure Key Vault client secret in cleartext, even when the option to exclude sensitive data is selected.
AnalysisAI
Devolutions Server 2026.1.22.0 and 2026.2.11.0 exposes Azure Key Vault client secrets in cleartext within Recovery Kit response files, defeating an explicit 'exclude sensitive data' option that administrators rely on. Any party who obtains a copy of the generated response file can trivially read the credential without any decryption or tooling. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) Devolutions Server must be running an affected version (below 2026.1.23 in the 2026.1.x branch or below 2026.2.12 in the 2026.2.x branch) with an Azure Key Vault client secret configured in its integration settings; (2) a legitimate user (UI:R per CVSS) must have initiated Recovery Kit response file generation - the vulnerability is triggered at generation time, not at runtime; (3) the attacker must obtain read access to the generated response file, whether through insider access, a compromised host with file share access, insecure backup storage, or accidental distribution. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.3 (Low) base score reflects a local attack vector (AV:L), no privileges required on the Devolutions Server itself (PR:N), and mandatory user interaction (UI:R) - all of which constrain exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An administrator on an affected Devolutions Server instance generates a Recovery Kit response file and, trusting the 'exclude sensitive data' option, stores it in a shared internal network location for disaster recovery purposes. An insider threat or an attacker who has compromised a low-privileged workstation with access to that share opens the file in a text editor and reads the Azure Key Vault client secret in cleartext. … |
| Remediation | Upgrade Devolutions Server to version 2026.1.23 or later (for 2026.1.x deployments) or to version 2026.2.12 or later (for 2026.2.x deployments), as documented in the vendor advisory at https://devolutions.net/security/advisories/DEVO-2026-0024/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44365
GHSA-wv55-rmpm-fhq6