Impact
Improper access control in Devolutions Server 2026.2.5 and 2026.1.21 allows an authenticated user to retrieve PAM account discovery scan results, exposing potentially sensitive account information. The weakness is classified as a privilege management issue (CWE‑882) and a privilege denial issue (CWE‑284). The primary impact is the unauthorized disclosure of data that could aid further attacks such as credential harvesting or lateral movement.
Affected Systems
The vulnerability affects Devolutions Server versions 2026.2.5 and 2026.1.21. No other product versions are listed as impacted.
Risk and Exploitability
The EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog, indicating a low probability of exploitation in the wild. However, the flaw requires only authentication, a status any logged‑in user could have, and gives direct access to account discovery results. The CVSS score is 4.3, reflecting moderate impact, but the risk is that an authenticated attacker could gather sensitive information without additional privileges.
OpenCVE Enrichment