Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.
This issue affects the following versions :
*
Devolutions Server 2026.1.6.0 through 2026.1.11.0
*
Devolutions Server 2025.3.16.0 and earlier
AnalysisAI
Missing authorization in the PAM module of Devolutions Server allows authenticated users with a PAM license to retrieve OTP secret keys and recovery codes without additional permissions, leading to account compromise through crafted API requests. Affected versions include Devolutions Server 2025.3.16.0 and earlier, plus 2026.1.6.0 through 2026.1.11.0. No public exploit code or active exploitation has been identified; however, the low CVSS score and minimal EPSS percentile suggest limited real-world attack incentive despite the confidentiality impact.
Technical ContextAI
The vulnerability stems from insufficient authorization checks (CWE-862) in the PAM module's API endpoints that handle OTP secrets and recovery codes. The PAM (Privileged Access Management) module in Devolutions Server is designed to secure sensitive credentials and multi-factor authentication data; however, the implementation fails to verify that the requesting authenticated user has explicit permissions beyond holding a PAM license to access these endpoints. The affected products are specifically identified by CPE cpe:2.3:a:devolutions:server:*:*:*:*:*:*:*:*, indicating all configurations of the affected version ranges are vulnerable when the PAM module is deployed.
RemediationAI
Upgrade Devolutions Server immediately to version 2025.3.17.0 or later for the 2025.3.x branch, or to 2026.1.12.0 or later for the 2026.1.x branch. The patch restores proper authorization checks to PAM API endpoints and must be applied to all Devolutions Server instances with the PAM module active. Consult the Devolutions security advisory DEVO-2026-0010 at https://devolutions.net/security/advisories/DEVO-2026-0010/ for precise patch availability and deployment guidance. As an interim compensating control (with significant operational trade-off), restrict network access to PAM API endpoints via firewall rules to only trusted administrative clients, but this is NOT a substitute for patching and will degrade PAM functionality for legitimate remote users. Organizations unable to patch immediately should audit PAM module API logs for unauthorized access attempts and review OTP secret/recovery code access by non-administrative users.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29544
GHSA-4mvv-f9gf-4m5q