Description
Improper access control in PAM account discovery results in Devolutions
Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve
account discovery scan results.
Published: 2026-06-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper access control in Devolutions Server 2026.2.5 and 2026.1.21 allows an authenticated user to retrieve PAM account discovery scan results, exposing potentially sensitive account information. The weakness is classified as a privilege management issue (CWE‑882) and a privilege denial issue (CWE‑284). The primary impact is the unauthorized disclosure of data that could aid further attacks such as credential harvesting or lateral movement.

Affected Systems

The vulnerability affects Devolutions Server versions 2026.2.5 and 2026.1.21. No other product versions are listed as impacted.

Risk and Exploitability

The EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog, indicating a low probability of exploitation in the wild. However, the flaw requires only authentication, a status any logged‑in user could have, and gives direct access to account discovery results. The CVSS score is 4.3, reflecting moderate impact, but the risk is that an authenticated attacker could gather sensitive information without additional privileges.

Generated by OpenCVE AI on June 18, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Devolutions Server to the latest version that contains the fix
  • Limit account discovery result access by implementing least‑privilege roles or revoking permissions for users who do not need the data
  • Continuously monitor user activity and audit account discovery logs for suspicious access patterns

Generated by OpenCVE AI on June 18, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Authenticated Disclosure of PAM Account Discovery Results
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions devolutions Server
Vendors & Products Devolutions
Devolutions devolutions Server

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.
Weaknesses CWE-882
References

Subscriptions

Devolutions Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-17T15:13:34.386Z

Reserved: 2026-06-10T15:08:21.510Z

Link: CVE-2026-11890

cve-icon Vulnrichment

Updated: 2026-06-17T15:13:23.910Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:27.227

Modified: 2026-06-16T20:41:35.520

Link: CVE-2026-11890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses