Description
Improper input validation in the PAM AD discovery endpoints in
Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated
user with the UserGroupsView permission to coerce server-side
authentication to an attacker-controlled host, exposing PAM provider
credentials as a NTLMv2 challenge-response, via a crafted DomainName
parameter.
Published: 2026-06-25
Score: 2.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in the PAM AD discovery endpoints allows an authenticated user with the UserGroupsView permission to force the server to authenticate to an attacker‑controlled host, causing the server to expose PAM provider credentials as an NTLMv2 challenge-response. The flaw is a CWE-1284 weakness that violates authentication integrity by revealing credentials that should remain confidential.

Affected Systems

Devolutions Server versions 2026.2.4.0 through 2026.2.7.0 are impacted. Only accounts that possess the UserGroupsView permission can trigger the flaw.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, and the EPSS score is not available. The likely attack vector requires the attacker to be logged in with UserGroupsView permission and to send a crafted DomainName parameter that redirects server authentication to a malicious host. There are no publicly documented exploits, and the vulnerability is not listed in CISA KEV, but successful exploitation would result in the exposure of credentials that could be captured or replayed.

Generated by OpenCVE AI on June 25, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a released version that includes the fix.
  • Restrict the UserGroupsView permission to trusted administrators only.
  • If PAM AD discovery functionality is not required, disable the related endpoints.
  • Monitor authentication and network logs for suspicious AD discovery requests and block traffic to unapproved hosts.

Generated by OpenCVE AI on June 25, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Authenticated PAM AD Discovery Credential Exposure via NTLMv2 Challenge-Response in Devolutions Server Authenticated PAM AD Discovery Credential Exposure via NTLMv2 Challenge‑Response in Devolutions Server

Thu, 25 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Authenticated PAM AD Discovery Credential Exposure via NTLMv2 Challenge-Response in Devolutions Server

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.
Weaknesses CWE-1284
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-25T14:52:29.837Z

Reserved: 2026-06-19T19:30:39.329Z

Link: CVE-2026-12755

cve-icon Vulnrichment

Updated: 2026-06-25T14:50:50.494Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T17:00:11Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input