Description
Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request.

This issue affects :

* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0 and earlier
Published: 2026-06-08
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An access control flaw in Devolutions Server’s ticketing integration settings allows an authenticated low‑privileged user to craft a specific API request that returns the integration’s cleartext username and password. The vulnerability is classified as CWE‑312, indicating that sensitive information is being stored or transmitted in an unencrypted form, enabling attackers to obtain credentials that could be leveraged against linked ticketing platforms or other services.

Affected Systems

Vulnerable are Devolutions Server 2026.2.4.0 and all prior releases back through 2026.1.20.0. Only the server product is affected; other Devolutions offerings are not listed.

Risk and Exploitability

The flaw requires authentication, so it is not a remote unauthenticated attack, but any low‑privileged user can trigger it over the network. No EPSS data is available and the vulnerability is not listed in CISA KEV, indicating no known public exploits. Nonetheless, exposure of ticketing credentials poses a high‑risk threat, as adversaries could immediately gain access to external ticketing systems, potentially leading to broader compromise.

Generated by OpenCVE AI on June 8, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade Devolutions Server to a version where the access control issue is fixed.
  • If a patch is not yet available, temporarily disable the affected ticketing integrations or restrict access to those settings to privileged roles only.
  • Ensure that any stored integration credentials are encrypted in transit and at rest, and enforce strict role‑based access controls on API endpoints as per vendor guidance.

Generated by OpenCVE AI on June 8, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Cleartext Ticketing Integration Credentials Exposed to Low‑Privileged Users in Devolutions Server

Mon, 08 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Cleartext Ticketing Integration Credentials Exposed to Low‑Privileged Users in Devolutions Server
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Mon, 08 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
Weaknesses CWE-312
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-08T19:44:31.961Z

Reserved: 2026-06-03T18:28:18.543Z

Link: CVE-2026-10786

cve-icon Vulnrichment

Updated: 2026-06-08T19:44:18.955Z

cve-icon NVD

Status : Received

Published: 2026-06-08T19:16:34.430

Modified: 2026-06-08T21:16:27.813

Link: CVE-2026-10786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T22:00:15Z

Weaknesses