CVE-2026-4989 - Vulnerability Details

Description

Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.
This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.

Published: 2026-04-01

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper input validation in the gateway health check feature of Devolutions Server enables an authenticated user with low privileges to issue crafted API requests. The vulnerability, identified as a Server‑Side Request Forgery (CWE‑918), permits the user to direct the server to request internal or external resources, which can lead to disclosure of sensitive information. The impact is limited to information exposure rather than code execution or denial of service.

Affected Systems

The affected product is Devolutions Server, released by Devolutions. Vulnerable releases include versions 2026.1.1 through 2026.1.11 and 2025.3.1 through 2025.3.17. Any installation of these version ranges is susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, and the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication but does not need elevated privileges, making it accessible to many users. The attack vector is inferred to involve sending a malicious API request to the health check endpoint, which then causes the server to perform unauthorized requests to target resources.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Devolutions

Server

unaffected

Version	Status	Constraints
`2026.1.1`	affected	≤ 2026.1.11
`2025.3.1`	affected	≤ 2025.3.17

Configuration 1 [-]

OR	cpe:2.3:a:devolutions:devolutions_server::::::::
	cpe:2.3:a:devolutions:devolutions_server::::::::

No data.

Vendor Product Confidence Versions

Devolutions

Server

100%

Version	Status	Scheme	Platform
`[2026.1.1,2026.1.11]`	affected	semver	—
`[2025.3.1,2025.3.17]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Devolutions Server to a release newer than 2026.1.11 or 2025.3.17
Configure network segmentation or firewall rules to block outbound connections from the gateway health check endpoint if an upgrade cannot be applied immediately
Monitor logs for abnormal health check API requests and other suspicious activity

Generated by OpenCVE AI on April 3, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://devolutions.net/security/advisories/DEVO-2026-0010

History

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Title	SSRF via Gateway Health Check in Devolutions Server

Fri, 03 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devolutions devolutions Server
CPEs		cpe:2.3:a:devolutions:devolutions_server::::::::
Vendors & Products		Devolutions devolutions Server

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title		SSRF via Gateway Health Check in Devolutions Server
First Time appeared		Devolutions Devolutions server
Vendors & Products		Devolutions Devolutions server
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.
Weaknesses		CWE-918
References		https://devolutions.net/security/advisories/DEVO-2026-0010
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Devolutions Devolutions Server Server

MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published: 2026-04-01T15:07:29.219Z

Updated: 2026-04-01T17:15:10.559Z

Reserved: 2026-03-27T13:42:14.773Z

Link: CVE-2026-4989

Vulnrichment

Updated: 2026-04-01T17:13:27.884Z

NVD

Status : Analyzed

Published: 2026-04-01T16:23:51.973

Modified: 2026-04-03T19:13:27.277

Link: CVE-2026-4989

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-07T08:07:31Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object