Description
Improper
access control in the vault documentation feature in Devolutions
Server allows an authenticated attacker to read documentation content
from unauthorized vaults via a crafted API request.



This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.
Published: 2026-04-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Devolutions Server has an improper access control flaw in the vault documentation feature that allows an authenticated attacker to read documentation content from vaults to which they are not authorized. The flaw is triggered by a crafted API request, enabling the disclosure of potentially sensitive documentation data. It is inferred that ownership and availability are not affected, as the vulnerability only permits data disclosure and does not alter system state.

Affected Systems

The vulnerability affects Devolutions Server, specifically all instances running the 2026.1.14.0 release or earlier. No additional affected vendors or version ranges were identified in the advisory.

Risk and Exploitability

The impact is limited to information disclosure. It is inferred that the attacker must hold authenticated access because the flaw is triggered by a crafted API request; however, this prerequisite is not explicitly stated in the CVE description. The EPSS score of <1% indicates a low probability of exploitation, and the issue is not listed in CISA's KEV catalog, suggesting that widespread exploitation has not been observed. The CVSS score of 6.5 indicates moderate severity that still warrants timely remediation.

Generated by OpenCVE AI on May 2, 2026 at 08:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a version newer than 2026.1.14.0 or apply the official patch if available.
  • Ensure that API access is restricted to the minimal set of vaults required for each authenticated user and that role‑based permissions are correctly enforced.
  • Monitor API traffic for unusual requests targeting vault documentation endpoints and review audit logs for unauthorized access attempts.

Generated by OpenCVE AI on May 2, 2026 at 08:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server

Sat, 02 May 2026 08:30:00 +0000

Type Values Removed Values Added
Title Improper Access Control Enables Unauthorized Read of Vault Documentation via API

Thu, 30 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Improper access control in the vault documentation feature in Devolutions Server 2026.1.14.0 and earlier allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.

Tue, 28 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Title Improper Access Control Enables Unauthorized Read of Vault Documentation via API

Tue, 28 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Tue, 28 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Improper access control in the vault documentation feature in Devolutions Server 2026.1.14.0 and earlier allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request.
Weaknesses CWE-862
References

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-04-30T17:39:14.209Z

Reserved: 2026-04-20T18:05:39.474Z

Link: CVE-2026-6706

cve-icon Vulnrichment

Updated: 2026-04-28T17:35:57.734Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T14:16:14.150

Modified: 2026-05-04T13:37:11.833

Link: CVE-2026-6706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:15:16Z

Weaknesses