Skip to main content

Devolutions Server EUVDEUVD-2026-29733

| CVE-2026-5146 MEDIUM
Missing Authorization (CWE-862)
2026-05-12 security@devolutions.net GHSA-hm73-pxhm-5967
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 16:24 vuln.today
CVSS changed
May 13, 2026 - 16:22 NVD
4.3 (MEDIUM)
CVE Published
May 12, 2026 - 18:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 12, 2026 - 18:17 nvd
MEDIUM 4.3

DescriptionCVE.org

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation.

This issue affects the following versions :

*

Devolutions Server 2026.1.6.0 through 2026.1.15.0

*

Devolutions Server 2025.3.19.0 and earlier

AnalysisAI

Unauthenticated attackers can modify or delete arbitrary user notification records in Devolutions Server due to missing session validation in notification management endpoints. The vulnerability affects Devolutions Server 2025.3.19.0 and earlier, plus versions 2026.1.6.0 through 2026.1.15.0. CVSS 4.3 indicates low-to-moderate risk, but the EPSS percentile of 4% suggests this is not a high-priority target for automated exploitation despite the authentication bypass tag.

Technical ContextAI

The vulnerability stems from improper access control (CWE-862) in the REST API endpoints responsible for notification management within Devolutions Server. The root cause is missing or insufficient session validation - the server fails to verify that an incoming request to modify or delete notifications originates from an authenticated user with permission to access those resources. This is distinct from broken authentication; the issue allows an attacker without valid credentials to craft requests directly against notification endpoints (likely via HTTP POST/DELETE operations) and perform state-changing operations on notification records belonging to other users. The attack operates over the network (AV:N) with low complexity (AC:L), but the CVSS vector includes PR:L, indicating the vulnerability actually requires low-privilege authentication to exploit - a material constraint not reflected in the summary of 'unauthenticated' attackers in the description. This inconsistency suggests either that some endpoints require authentication while others do not, or that the description and CVSS vector reflect different attack scenarios.

RemediationAI

Upgrade Devolutions Server to version 2026.1.16.0 or later (which addresses the 2026.1.x branch) or to the next patched release after 2025.3.19.0 for the 2025.3.x branch - exact patched version for the 2025.3.x line is not specified in the provided data and should be confirmed via the vendor advisory at https://devolutions.net/security/advisories/DEVO-2026-0012. As a compensating control prior to patching, restrict network access to Devolutions Server notification management endpoints (typically /api/notification or similar paths) using a Web Application Firewall or network-layer ACLs, allowing only authenticated internal users from trusted subnets. However, this does not fully mitigate the vulnerability if low-privilege users can still exploit it; the primary mitigation is patching. Monitor Devolutions Server API logs for DELETE or POST requests to notification endpoints from unexpected sources or users.

CVE-2026-3204 CRITICAL
9.8 Mar 03

Input validation flaw in Devolutions Server error message page enables remote spoofing attacks.

CVE-2026-3224 CRITICAL
9.8 Mar 03

Azure AD auth bypass in Devolutions Server 2025.3.15.0 and earlier.

CVE-2026-0610 CRITICAL
9.8 Jan 19

Devolutions Server 2025.3.1 through 2025.3.6 contains a SQL injection vulnerability in the remote sessions component tha

CVE-2026-3130 CRITICAL
9.8 Mar 03

Behavioral control bypass in Devolutions Server 2025.3.15 allows authenticated users to exploit delete permissions.

CVE-2024-2921 CRITICAL
9.8 Mar 26

Improper access control in PAM vault permissions in Devolutions Server 2024.1.10.0 and earlier allows an authenticated u

CVE-2021-23921 CRITICAL
9.1 Apr 01

An issue was discovered in Devolutions Server before 2020.3. Rated critical severity (CVSS 9.1), this vulnerability is r

CVE-2025-13757 HIGH
8.8 Nov 27

SQL Injection vulnerability in last usage logs in Devolutions Server.2.20, through 2025.3.8. Rated high severity (CVSS 8

CVE-2024-2915 HIGH
8.8 Mar 26

Improper access control in PAM JIT elevation in Devolutions Server 2024.1.6 and earlier allows an attacker with access t

CVE-2023-0953 HIGH
8.8 Mar 01

Insufficient input sanitization in the documentation feature of Devolutions Server 2022.3.12 and earlier allows an authe

CVE-2023-0951 HIGH
8.8 Mar 01

Improper access controls on some API endpoints in Devolutions Server 2022.3.12 and earlier could allow a standard privil

CVE-2022-33996 HIGH
8.8 Jul 07

Incorrect permission management in Devolutions Server before 2022.2 allows a new user with a preexisting username to inh

CVE-2025-4433 HIGH
8.7 May 30

Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrativ

Share

EUVD-2026-29733 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy