Description
Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation.



This issue affects the following versions :

*

Devolutions Server 2026.1.6.0 through 2026.1.15.0


*

Devolutions Server 2025.3.19.0 and earlier
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Devolutions Server contains an improper access control flaw in its notification management endpoints. The flaw permits an unauthenticated actor to alter or remove any user’s notification records because the endpoints do not enforce session validation. This breach of access control, identified as CWE‑862, leads to an integrity compromise of notification data and can potentially disrupt user communication flows or enable further malicious activity.

Affected Systems

The vulnerability is present in Devolutions Server versions 2026.1.6.0 through 2026.1.15.0, as well as in the 2025.3.19.0 release and all earlier 2025.x versions. Systems running any of these releases are affected.

Risk and Exploitability

No CVSS or EPSS score is reported for this issue, and it is not listed in CISA’s KEV catalog, but the lack of authentication requirements and the absence of session checks imply that a remote attacker can exploit the flaw from any network position that can reach the vulnerable endpoints. Because the flaw allows arbitrary modification or deletion of notification data without privileges, the risk to affected systems is significant, particularly if notification data is used in security or operational contexts.

Generated by OpenCVE AI on May 12, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Devolutions Server patch that fixes the notification endpoint access control flaw.
  • Restrict network access to the server’s notification endpoints to trusted hosts, or enforce VPN connectivity until the patch is applied.
  • Configure logging and alerts for unauthorized modification or deletion of notification records to detect exploitation attempts.

Generated by OpenCVE AI on May 12, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Modification of User Notification Records in Devolutions Server

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier
Weaknesses CWE-862
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-05-12T17:28:21.264Z

Reserved: 2026-03-30T13:23:11.124Z

Link: CVE-2026-5146

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:32.177

Modified: 2026-05-12T18:17:32.177

Link: CVE-2026-5146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses