CVE-2026-4396 - Vulnerability Details

Description

Improper certificate validation in Devolutions Hub Reporting Service
2025.3.1.1 and earlier allows a network attacker to perform a
man-in-the-middle attack via disabled TLS certificate verification.

Published: 2026-03-18

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Devolutions Hub Reporting Service versions 2025.3.1.1 and earlier perform improper TLS certificate validation, allowing an attacker on the same network to intercept and modify traffic. This flaw can lead to a man‑in‑the‑middle attack, compromising confidentiality and integrity of data exchanged by the service. The weakness corresponds to CWE‑295, where certificate checks are bypassed.

Affected Systems

The affected product is Devolutions Hub Reporting Service, version 2025.3.1.1 and earlier. Users running any of those releases on their networks are vulnerable. The vulnerability is specific to the devaluations indicated by the vendor and the cpe string indicates only this product.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not yet cataloged in the CISA KEV list. Attackers would need control over the network path to the reporting service and could exploit the disabled TLS verification to pass through the traffic. Because the flaw is a certificate‑validation bypass, it is an in‑network attack vector; its risk is significant but exploitation likelihood is currently low.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Devolutions

Hub Reporting Service

unaffected

Version	Status	Constraints
`0`	affected	≤ 2025.3.1.1

Configuration 1 [-]

cpe:2.3:a:devolutions:hub_reporting_service:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Devolutions

Hub Reporting Service

100%

Version	Status	Scheme	Platform
`[0,2025.3.1.1]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Devolutions Hub Reporting Service to a version newer than 2025.3.1.1 where certificate validation is enforced.
If an upgrade is not immediately possible, review and reconfigure the service to disable any options that turn off TLS verification, ensuring that certificate checks remain active.
Restrict network access to the reporting service, placing it behind a firewall or VPN to limit potential attackers.
Monitor network traffic for signs of interception or anomalies that may indicate a man‑in‑the‑middle attack.
Regularly check the Devolutions security advisory page for further updates or security patches.

Generated by OpenCVE AI on March 30, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://devolutions.net/security/advisories/DEVO-2026-0009/

History

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title	Improper Certificate Validation in Devolutions Hub Reporting Service Enables Man‑in‑the‑Middle Attacks

Mon, 30 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:devolutions:hub_reporting_service::::::::

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
Title		Improper Certificate Validation in Devolutions Hub Reporting Service Enables Man‑in‑the‑Middle Attacks

Thu, 19 Mar 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devolutions Devolutions hub Reporting Service
Vendors & Products		Devolutions Devolutions hub Reporting Service

Wed, 18 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Improper certificate validation in Devolutions Hub Reporting Service 2025.3.1.1 and earlier allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.
Weaknesses		CWE-295
References		https://devolutions.net/security/advisories/DEVO-2026-0009/

Subscriptions

Devolutions Hub Reporting Service

MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published: 2026-03-18T19:41:34.801Z

Updated: 2026-03-18T20:10:58.385Z

Reserved: 2026-03-18T15:54:21.845Z

Link: CVE-2026-4396

Vulnrichment

Updated: 2026-03-18T20:09:44.109Z

NVD

Status : Analyzed

Published: 2026-03-18T20:16:22.933

Modified: 2026-03-30T15:09:31.033

Link: CVE-2026-4396

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T20:59:09Z

Weaknesses

CWE-295

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object