Description
Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request.

This issue affects :

* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
Published: 2026-05-22
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper access control in Devolutions Server's entry activity log feature allows an authenticated user who has view rights on an entry, but lacks permission to retrieve activity logs, to obtain those logs through a crafted API request. This can lead to disclosure of audit information and potentially reveal internal user actions without authorization. The vulnerability is a classic improper access control flaw (CWE‑284).

Affected Systems

Devolutions Server versions 2026.1.6.0 through 2026.1.16.0 and all 2025.3.20.0 releases and earlier are affected. The product is identified as Devolutions Server by the vendor Devolutions.

Risk and Exploitability

The vulnerability requires an authenticated session and access to a specific entry but no special user privileges. An attacker can exploit it by sending a crafted API request targeting the activity log endpoint. The CVSS score of 4.3 indicates moderate severity, yet the nature of the flaw suggests potential privacy and audit integrity risks. The vulnerability is not listed in the CISA KEV catalog, and no EPSS score is available, indicating no publicly known exploitation at this time. The attack surface is confined to the internal API, but the impact on privacy and audit integrity is significant.

Generated by OpenCVE AI on May 22, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a version that is not affected (2026.1.17.0 or later, or 2025.3.21.0 or later).
  • Limit user permissions so that customers who can view entries cannot also request activity logs unless explicitly granted.
  • Monitor API usage for attempts to retrieve activity logs from entries that the user does not normally have access to, and alert administrators.

Generated by OpenCVE AI on May 22, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Access to Entry Activity Logs via API

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Fri, 22 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Access to Entry Activity Logs via API

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Weaknesses CWE-284
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-05-22T16:50:52.887Z

Reserved: 2026-03-30T15:51:43.984Z

Link: CVE-2026-5171

cve-icon Vulnrichment

Updated: 2026-05-22T16:50:49.926Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T19:00:15Z

Weaknesses