Description
Improper access control in the social login connection endpoint in
Devolutions Server 2026.2.5 allows an authenticated vault member to
enumerate social login entry metadata to which they are not authorized
via a crafted API request.
Published: 2026-06-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from improper access control in the social login connection endpoint of Devolutions Server. An authenticated vault member can craft an API request to enumerate social login entry metadata that they are not authorized to view. The primary impact is the unauthorized disclosure of information that may include details of social login accounts, potentially enabling further compromise or correlation with other accounts. The weakness aligns with CWE-200, an information disclosure flaw.

Affected Systems

The affected product is Devolutions Server, specifically version 2026.2.5. No other versions are noted in the data, and the advisory references only this release.

Risk and Exploitability

The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not included in the CISA KEV catalog. Nevertheless, because the flaw requires authenticated access, the risk is primarily to users with vault member privileges who may inadvertently access metadata. Attackers would need valid credentials and knowledge of the API endpoint, so the attack vector is remote via API. The CVSS score of 4.3 indicates a medium severity, reflecting a moderate risk to confidentiality, especially in environments where social login metadata is sensitive.

Generated by OpenCVE AI on June 18, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch or update provided by Devolutions to resolve the access control issue.
  • If an update is not yet available, restrict the social login connection endpoint to privileged users or disable it entirely for non-admin members.
  • Enforce stricter role-based access controls and review ACLs to ensure only authorized personnel can retrieve social login metadata.
  • Monitor audit logs for any enumeration attempts of social login entries.

Generated by OpenCVE AI on June 18, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Enumeration of Social Login Metadata in Devolutions Server via Improper Access Control

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Enumeration of Social Login Metadata in Devolutions Server via Improper Access Control
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions devolutions Server
Vendors & Products Devolutions
Devolutions devolutions Server

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request.
Weaknesses CWE-200
References

Subscriptions

Devolutions Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-17T15:14:46.588Z

Reserved: 2026-06-12T14:47:47.711Z

Link: CVE-2026-12117

cve-icon Vulnrichment

Updated: 2026-06-17T15:14:38.469Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:27.577

Modified: 2026-06-16T20:41:35.520

Link: CVE-2026-12117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:00:12Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor