Description
Improper host validation in the social login autofill feature in
Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to
disclose stored social login credentials via a crafted web entry
pointing to a provider lookalike domain.
Published: 2026-06-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper host validation in the social login autofill feature of Devolutions Remote Desktop Manager version 2026.2.8. When a forged or lookalike domain is presented as a social login provider, the application accepts the host and automatically extracts stored credentials, exposing the user’s social login passwords. This constitutes a breach of confidentiality, allowing an attacker to gain unauthorized access credentials without executing code or disrupting services.

Affected Systems

Devolutions Remote Desktop Manager, specifically the 2026.2.8 release.

Risk and Exploitability

The vulnerability has a CVSS score of 5.5, indicating moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the near term. It is currently not listed in the CISA KEV catalog. The likely attack vector revolves around a remote attacker delivering a crafted web endpoint that mimics a legitimate social login provider; when a user’s Remote Desktop Manager client encounters this endpoint during autofill, it accepts the host and leaks stored credentials. Exploitation appears to require that the user interacts with the redirected provider and that the client’s host validation logic is inadequate. Existing mitigations are not provided in the advisory, emphasizing the need for a patch or configuration change.

Generated by OpenCVE AI on June 16, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest version of Devolutions Remote Desktop Manager where the host validation issue is fixed.
  • Disable or restrict the social login autofill function until a patch is applied to prevent accidental credential disclosure.
  • Configure network or DNS filtering to block known forged provider domains and monitor for unusual login requests.

Generated by OpenCVE AI on June 16, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Host Validation Flaw Exposes Social Login Credentials

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:*:windows:*:*

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-297
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions remote Desktop Manager
Vendors & Products Devolutions
Devolutions remote Desktop Manager

Tue, 16 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Description Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain.
References

Subscriptions

Devolutions Remote Desktop Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-16T12:51:25.016Z

Reserved: 2026-06-12T19:19:57.058Z

Link: CVE-2026-12162

cve-icon Vulnrichment

Updated: 2026-06-16T12:50:38.166Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T01:16:23.937

Modified: 2026-06-16T20:33:01.147

Link: CVE-2026-12162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:00:12Z

Weaknesses
  • CWE-297

    Improper Validation of Certificate with Host Mismatch