Description
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.

This issue affects :

* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0 and earlier
Published: 2026-06-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in Devolutions Server's API that deletes user groups allows an attacker who has already authenticated with a low‑privileged account to request information about groups that have been deleted, exposing metadata that should be protected. This flaw does not provide code execution but can reveal sensitive structure or identifiers that may assist subsequent attacks. The weakness is identified as CWE-862.

Affected Systems

Devolutions Server versions 2026.2.4.0, 2026.1.20.0 and earlier are affected. The vulnerability resides in the server product supplied by Devolutions.

Risk and Exploitability

The public EPSS score is not available and the issue is not listed in the CISA KEV catalog, indicating no documented active exploitation at this time. Based on the description, it is inferred that the vulnerability can be exercised via the exposed API, suggesting a network attack vector. While the severity is not quantified with a CVSS score, the potential to gain additional privilege through metadata enumeration warrants timely remediation.

Generated by OpenCVE AI on June 8, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a version that removes the missing authorization check (for example 2026.2.5.0 or later).
  • Apply role‑based access controls to ensure only privileged users can call the deleted user groups API endpoint.
  • Monitor API traffic for abnormal calls to the deleted user groups endpoint and review logs for suspicious activity.

Generated by OpenCVE AI on June 8, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Mon, 08 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
Weaknesses CWE-862
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-08T18:26:25.970Z

Reserved: 2026-06-03T18:28:40.149Z

Link: CVE-2026-10787

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T19:16:34.553

Modified: 2026-06-08T19:16:34.553

Link: CVE-2026-10787

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T21:00:14Z

Weaknesses