Description
Improper
access control in multiple DVLS REST API endpoints in Devolutions
Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data.
Published: 2026-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of connection data
Action: Apply Patch Now
AI Analysis

Impact

The vulnerability resides in Devolutions Server's REST API endpoints, where an authenticated user possessing only view‑only rights can read sensitive connection data. This improper access control allows an attacker to exfiltrate confidential information that should be restricted to privileged users, compromising confidentiality and potentially exposing credentials used to connect to backend systems. The weakness is cataloged as CWE‑200, an information‑exposure flaw.

Affected Systems

The flaw affects Devolutions Server releases 2025.3.14.0 and earlier. Any deployment of these versions that exposes the documented API endpoints to authenticated clients is susceptible. Organizations running older versions must verify and upgrade accordingly.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑to‑high risk, while an EPSS score of less than 1% suggests that exploitation is currently rare. Because the flaw requires valid credentials, attackers need to compromise user accounts or acquire view‑only tokens, but once authenticated, they can immediately harvest sensitive data. The vulnerability is not listed in the CISA KEV catalog, so no prioritized exploitation is known, yet the potential damage warrants prompt remediation.

Generated by OpenCVE AI on April 17, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Devolutions Server release that incorporates the access‑control fix, or upgrade to any version newer than 2025.3.14.0.
  • Reduce the scope of view‑only permissions by removing the role from users who do not need it, or temporarily disable view‑only access until the patch is applied.
  • Restrict access to the affected REST API endpoints via firewall rules or network segmentation to limit potential exposure until a vendor patch is deployed.

Generated by OpenCVE AI on April 17, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Improper Access Control Enables View‑Only Users to Access Sensitive Connection Data

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Tue, 24 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data.
Weaknesses CWE-200
References

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-02-26T16:09:13.047Z

Reserved: 2026-02-24T16:52:20.741Z

Link: CVE-2026-3131

cve-icon Vulnrichment

Updated: 2026-02-26T16:07:48.631Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T20:27:50.883

Modified: 2026-02-26T17:23:03.460

Link: CVE-2026-3131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses