Skip to main content

Server CVE-2026-4989

| EUVDEUVD-2026-17929 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-01 DEVOLUTIONS GHSA-w89v-w2pq-cc25
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 15:30 euvd
EUVD-2026-17929
Analysis Generated
Apr 01, 2026 - 15:30 vuln.today
CVE Published
Apr 01, 2026 - 15:07 nvd
MEDIUM 4.3

DescriptionCVE.org

Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.

AnalysisAI

Server-side request forgery (SSRF) in Devolutions Server gateway health check feature allows low-privileged authenticated users to bypass input validation and trigger arbitrary requests, potentially disclosing sensitive information from internal systems or network resources. Affected versions are 2026.1.1-2026.1.11 and 2025.3.1-2025.3.17. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability exists in the gateway health check API endpoint, a feature used to validate connectivity and status of backend gateway services. The root cause is improper input validation (CWE-918: Server-Side Request Forgery) that fails to restrict the target URL or resource that the health check mechanism can contact. Because the health check runs in the context of the Devolutions Server process (which typically has network access to internal systems), an attacker can craft malicious API requests to cause the server to issue HTTP requests to internal IP ranges, localhost services, or cloud metadata endpoints-bypassing network segmentation and revealing configuration, credentials, or other sensitive data. The CPE indicates all versions of Devolutions Server are potentially affected within the specified ranges.

RemediationAI

Upgrade Devolutions Server to a patched version released after 2026.1.11 or 2025.3.17 (exact fix versions are not specified in available data, so consult the vendor advisory at https://devolutions.net/security/advisories/DEVO-2026-0010 for the specific recommended upgrade path). As an interim measure, restrict API access to the gateway health check endpoint to trusted administrative users, implement network-level controls to limit outbound requests from the Devolutions Server process to designated gateways only, and monitor API logs for suspicious health check requests containing unusual or internal IP addresses. Patch availability and exact fix versions should be confirmed directly with Devolutions through their security advisory.

More in Server

View all
CVE-2018-1000881 CRITICAL POC
9.8 Dec 20

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2021-42973 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl

CVE-2021-42972 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2023-30223 HIGH POC
7.5 Jun 16

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen

CVE-2023-30222 HIGH POC
7.5 Jun 16

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2017-7855 MEDIUM POC
6.1 Aug 31

In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet

CVE-2022-39395 CRITICAL
9.9 Nov 10

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se

Share

CVE-2026-4989 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy