Impact
The vulnerability allows a user who is already authenticated to gain unauthorized access to attachments stored in the system. By duplicating a folder, the user inherits permissions that grant them access to sensitive attachments that they should not see. This improper control can lead to exposure of confidential data and potentially further exploitation if the attachments contain malicious code. The weakness is a classic missing authorization flaw (CWE‑862).
Affected Systems
Devolutions Server versions 2026.2.5 and 2026.1.21 are impacted. Users running these releases should verify their deployment and consult the advisory for further details.
Risk and Exploitability
This vulnerability has a CVSS score of 6.5, classifying it as medium severity. The EPSS score is less than 1 %, indicating a relatively low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, so no known live exploit has been reported. However, because the flaw enables lateral movement within an authenticated session, it remains a significant concern for organizations that rely on strict access controls. Attackers would need to be authenticated with a valid user account and then exploit the folder duplication feature to access the protected attachments.
OpenCVE Enrichment