Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
AnalysisAI
Improper access control in Devolutions Server 2026.1.19 and earlier allows an authenticated low-privilege user to delete PAM network discovery scan configurations that should be restricted to administrators. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation requires only a valid low-privilege account over the network with no user interaction. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Technical ContextAI
Devolutions Server is a Privileged Access Management (PAM) platform; the affected component is its account discovery feature, which scans networks to identify and onboard privileged accounts. CWE-284 (Improper Access Control) indicates the server fails to enforce role separation on destructive operations - specifically, the API endpoint or UI handler for deleting discovery scan configurations does not validate that the requesting user holds administrative privileges before executing the operation. The CPE string cpe:2.3:a:devolutions:server:*:*:*:*:*:*:*:* confirms all version instances of the server product are in scope up to and including 2026.1.19.
RemediationAI
Consult the Devolutions security advisory DEVO-2026-0014 at https://devolutions.net/security/advisories/DEVO-2026-0014/ for the confirmed fixed release version and upgrade guidance; the exact patched version is not independently confirmed from the data available at time of analysis beyond the implication that versions after 2026.1.19 contain the fix. As a compensating control, restrict Devolutions Server PAM account discovery access to the minimum set of users who require it, and audit existing user role assignments to remove discovery-related permissions from non-administrative accounts. Monitoring deletion events in PAM discovery scan configurations via Devolutions Server's audit logs can serve as a detective control until the patch is applied. Note that restricting user access may impact discovery workflows if low-privilege accounts are legitimately assigned to run scans.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33937
GHSA-7x7j-8c59-q4gr