Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission.
AnalysisAI
Improper access control in Devolutions Server 2026.1.19 and earlier allows an authenticated user holding entry edit privileges to modify asset information beyond their authorized scope, bypassing the permission validation layer. The flaw resides in the permission validation component and enables privilege overreach within the platform's access control model - an authenticated low-privilege user can alter data they should have no write access to. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
Devolutions Server is a privileged access management (PAM) and credential vault platform. The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the permission validation component fails to enforce the full set of required permissions before allowing a write operation on asset information. The flaw lies in the separation between 'entry edit' privileges and the distinct 'asset modification' permission - the system incorrectly conflates or short-circuits these checks, allowing a user with the former to perform actions gated behind the latter. Affected product is identified via CPE cpe:2.3:a:devolutions:server:*:*:*:*:*:*:*:*, covering all versions up to and including 2026.1.19. The tag 'Authentication Bypass' refers to a bypass of the secondary permission gate, not of authentication itself.
RemediationAI
Upgrade Devolutions Server beyond version 2026.1.19 per the vendor advisory at https://devolutions.net/security/advisories/DEVO-2026-0014/. An exact patched version number was not provided in the available data - consult the Devolutions advisory directly to confirm the specific release that resolves CVE-2026-9590 before upgrading. As a compensating control, organizations should audit and minimize the number of accounts granted 'entry edit' privileges to reduce the exposed attack surface, and review audit logs for any unexpected modifications to asset information that may indicate prior exploitation. Restricting the 'entry edit' role to only fully trusted users limits blast radius while a patched version is deployed. No significant side effects from the privilege scoping workaround are anticipated beyond operational overhead.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33935
GHSA-3xh5-wf4g-97h5