Description
Sensitive
user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with
access to the database to obtain sensitive user
information via direct database access.
Published: 2026-02-25
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of user account data
Action: Patch
AI Analysis

Impact

Devolutions Server versions 2025.3.14 and earlier store sensitive user account information in plain text within the database, exposing a sensitive data exposure flaw. An adversary who can access the database can directly read this information, compromising confidentiality of user credentials and personal data. The vulnerability is classified as CWE-312.

Affected Systems

The issue exists in Devolutions Server 2025.3.14 and earlier releases. No specific edition or deployment type is mentioned, but the affected product is the Devolutions Server database component.

Risk and Exploitability

The CVSS base score of 4.9 indicates moderate severity, and the EPSS figure of less than 1% suggests that exploitation is unlikely in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have database access, either through local compromise or poorly secured credentials, and does not depend on remote network components.

Generated by OpenCVE AI on April 18, 2026 at 10:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a version released after 2025.3.14 that encrypts sensitive user data in the database.
  • Restrict database access to privileged accounts only.
  • Monitor for unauthorized database access attempts.

Generated by OpenCVE AI on April 18, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Title Devolutions Server Database Stores Unencrypted User Account Information

Sat, 28 Feb 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server

Thu, 26 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Wed, 25 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access.
Weaknesses CWE-312
References

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-02-26T16:03:04.217Z

Reserved: 2026-02-25T18:20:33.439Z

Link: CVE-2026-3221

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T19:43:26.530

Modified: 2026-02-28T00:43:23.320

Link: CVE-2026-3221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses