Skip to main content

Devolutions Server EUVDEUVD-2026-35182

| CVE-2026-10786 MEDIUM
Cleartext Storage of Sensitive Information (CWE-312)
2026-06-08 DEVOLUTIONS
6.5
CVSS 3.1 · Vendor: DEVOLUTIONS
Share

Severity by source

Vendor (DEVOLUTIONS) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (DEVOLUTIONS) · only source for this CVE.

CVSS VectorVendor: DEVOLUTIONS

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 21:23 vuln.today
CVSS changed
Jun 08, 2026 - 21:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 08, 2026 - 18:26 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request.

This issue affects :

  • Devolutions Server 2026.2.4.0
  • Devolutions Server 2026.1.20.0 and earlier

AnalysisAI

Cleartext credential exposure in Devolutions Server allows an authenticated low-privileged user to retrieve plaintext credentials stored for configured ticketing integrations via a crafted API request. Affected versions include Devolutions Server 2026.2.4.0 and all 2026.1.x releases up to and including 2026.1.20.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Devolutions Server credentials
Delivery
Authenticate to Devolutions Server over network
Exploit
Craft API request targeting ticketing integration settings endpoint
Execution
Bypass access control check
Persist
Receive cleartext third-party service credentials in API response
Impact
Leverage credentials against external ticketing system

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated account in Devolutions Server with at minimum low-privilege access (confirmed by CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) accurately reflects the primary constraint: the attack requires a valid low-privileged account (PR:L), limiting the attack surface compared to unauthenticated vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged Devolutions Server account - such as a contractor, help desk user, or compromised standard user - crafts an API request targeting the ticketing integration settings endpoint without the authorization checks enforced for higher-privileged roles. The response returns cleartext credentials for configured integrations (e.g., a Jira service account password or API token), which the attacker then uses to access those external systems. …
Remediation Consult and apply the guidance in vendor advisory DEVO-2026-0015 at https://devolutions.net/security/advisories/DEVO-2026-0015/ to obtain the patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Server

View all
CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2026-49261 CRITICAL
9.8 Jun 11

OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes b

CVE-2026-57521 MEDIUM POC
5.3 Jun 25

Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user vi

CVE-2026-43638 MEDIUM POC
5.3 May 11

Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrar

CVE-2026-4924 HIGH
8.2 Apr 01

Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by re

CVE-2026-4828 HIGH
8.2 Apr 01

Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentica

CVE-2026-4434 HIGH
8.1 Mar 20

Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections th

CVE-2026-41161 MEDIUM
6.9 May 08

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version

CVE-2025-15316 MEDIUM
6.7 Feb 09

Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]

Share

EUVD-2026-35182 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy