CVE-2026-5146 - Vulnerability Details

Description

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation.

This issue affects the following versions :

*

Devolutions Server 2026.1.6.0 through 2026.1.15.0

*

Devolutions Server 2025.3.19.0 and earlier

Published: 2026-05-12

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Devolutions Server contains an improper access control flaw in its notification management endpoints. The flaw permits an unauthenticated actor to alter or remove any user’s notification records because the endpoints do not enforce session validation. This breach of access control, identified as CWE‑862, leads to an integrity compromise of notification data and can potentially disrupt user communication flows or enable further malicious activity.

Affected Systems

The vulnerability is present in Devolutions Server versions 2026.1.6.0 through 2026.1.15.0, as well as in the 2025.3.19.0 release and all earlier 2025.x versions. Systems running any of these releases are affected.

Risk and Exploitability

The CVSS score of 4.3 and EPSS score of < 1% indicate a moderate severity and low exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog. The lack of authentication requirements and the absence of session checks imply that a remote attacker can exploit the flaw from any network position that can reach the vulnerable endpoints. Because the flaw allows arbitrary modification or deletion of notification data without privileges, the risk to affected systems is significant, particularly if notification data is used in security or operational contexts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Devolutions

Server

unaffected

Version	Status	Constraints
`2026.1.6.0`	affected	≤ 2026.1.15.0
`0`	affected	≤ 2025.3.19.0

Configuration 1 [-]

OR	cpe:2.3:a:devolutions:devolutions_server::::::::
	cpe:2.3:a:devolutions:devolutions_server::::::::

No data.

Vendor Product Confidence Versions

Devolutions

Server

100%

Version	Status	Scheme	Platform
`[2026.1.6.0,2026.1.15.0]`	affected	generic	—
`[0,2025.3.19.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Devolutions Server patch that fixes the notification endpoint access control flaw.
Restrict network access to the server’s notification endpoints to trusted hosts, or enforce VPN connectivity until the patch is applied.
Configure logging and alerts for unauthorized modification or deletion of notification records to detect exploitation attempts.

Generated by OpenCVE AI on May 13, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://devolutions.net/security/advisories/DEVO-2026-0012

History

Tue, 26 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devolutions devolutions Server
CPEs		cpe:2.3:a:devolutions:devolutions_server::::::::
Vendors & Products		Devolutions devolutions Server

Wed, 13 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Title	Unauthenticated Modification of User Notification Records in Devolutions Server

Wed, 13 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devolutions Devolutions server
Vendors & Products		Devolutions Devolutions server

Tue, 12 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated Modification of User Notification Records in Devolutions Server

Tue, 12 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier
Weaknesses		CWE-862
References		https://devolutions.net/security/advisories/DEVO-2026-0012

Subscriptions

Devolutions Devolutions Server Server

MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published: 2026-05-12T17:28:21.264Z

Updated: 2026-05-13T16:01:19.326Z

Reserved: 2026-03-30T13:23:11.124Z

Link: CVE-2026-5146

Vulnrichment

Updated: 2026-05-13T16:01:13.752Z

NVD

Status : Analyzed

Published: 2026-05-12T18:17:32.177

Modified: 2026-05-26T12:51:35.633

Link: CVE-2026-5146

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T18:15:16Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object