CVE-2026-3638 - Vulnerability Details

- Low‑Privileged Users Can Restore Deleted Accounts via Improper Access Control

Description

Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.

Published: 2026-03-09

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improper access control flaw in the user and role restore API endpoints allows a low‑privileged authenticated user to restore previously deleted users and roles by sending crafted API requests. This mis‑directed access can re‑enable a removed user account or re‑assign a role that was intended to be permanently revoked, thereby potentially granting the attacker privileges or access that should have been denied. The vulnerability is a permission bypass rather than a remote code execution flaw, but it enables persistence and privilege escalation within the affected system.

Affected Systems

Devolutions Server version 2025.3.11.0 and earlier. The flaw exists in the API endpoints responsible for restoring deleted users and roles.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate risk, while an EPSS score of less than 1% shows a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread public exploitation. Attacks would require an authenticated session with a low‑privileged account and crafted API calls, making it a relatively focused threat rather than a broad remote attack vector.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Devolutions

Server

unaffected

Version	Status	Constraints
`0`	affected	≤ 2025.3.11.0

Configuration 1 [-]

cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Devolutions

Server

100%

Version	Status	Scheme	Platform
`[0,2025.3.11.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Devolutions Server patch or upgrade to a release newer than 2025.3.11.0 where restore‑API access control is corrected.
Implement or verify missing authorization checks (CWE‑862) on the user and role restore endpoints so that only accounts with proper administrative privileges can invoke the restore operation.
Restrict network exposure of the restore API endpoints by firewall rules or network segmentation so that only trusted administrative hosts can reach them.
If a patch is not yet available, temporarily disable the restore endpoints or block them via a reverse‑proxy to prevent unauthorized use.
Review and revoke low‑privileged user accounts with potential restore rights to enforce the principle of least privilege.

Generated by OpenCVE AI on April 18, 2026 at 09:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://devolutions.net/security/advisories/DEVO-2026-0007

History

Sat, 18 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title		Low‑Privileged Users Can Restore Deleted Accounts via Improper Access Control

Mon, 30 Mar 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devolutions devolutions Server
CPEs		cpe:2.3:a:devolutions:devolutions_server::::::::
Vendors & Products		Devolutions devolutions Server

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devolutions Devolutions server
Vendors & Products		Devolutions Devolutions server

Mon, 09 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.
Weaknesses		CWE-862
References		https://devolutions.net/security/advisories/DEVO-2026-0007

Subscriptions

Devolutions Devolutions Server Server

MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published: 2026-03-09T18:51:13.485Z

Updated: 2026-03-09T19:31:20.567Z

Reserved: 2026-03-06T15:19:48.882Z

Link: CVE-2026-3638

Vulnrichment

Updated: 2026-03-09T19:31:12.370Z

NVD

Status : Analyzed

Published: 2026-03-09T19:16:08.720

Modified: 2026-03-30T19:32:08.327

Link: CVE-2026-3638

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object