Impact
This vulnerability stems from improper access control in the social login connection endpoint of Devolutions Server. An authenticated vault member can craft an API request to enumerate social login entry metadata that they are not authorized to view. The primary impact is the unauthorized disclosure of information that may include details of social login accounts, potentially enabling further compromise or correlation with other accounts. The weakness aligns with CWE-200, an information disclosure flaw.
Affected Systems
The affected product is Devolutions Server, specifically version 2026.2.5. No other versions are noted in the data, and the advisory references only this release.
Risk and Exploitability
The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not included in the CISA KEV catalog. Nevertheless, because the flaw requires authenticated access, the risk is primarily to users with vault member privileges who may inadvertently access metadata. Attackers would need valid credentials and knowledge of the API endpoint, so the attack vector is remote via API. The CVSS score of 4.3 indicates a medium severity, reflecting a moderate risk to confidentiality, especially in environments where social login metadata is sensitive.
OpenCVE Enrichment