Description
Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.



This issue affects the following versions :

*

Devolutions Server 2026.1.6.0 through 2026.1.11.0


*

Devolutions Server 2025.3.16.0 and earlier
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from a missing authorization check in the PAM module of Devolutions Server. An attacker who is already authenticated and holds a PAM license, but lacks additional permissions, can make specially crafted requests to the PAM API endpoints to retrieve OTP secret keys and recovery codes. The flaw permits the exposure of authentication secrets that are intended to protect user accounts, effectively allowing an attacker to bypass two‑factor authentication and gain full control over the affected accounts. This is classified as a missing authorization weakness (CWE‑862).

Affected Systems

Devolutions Server versions 2026.1.6.0 through 2026.1.11.0 and all releases 2025.3.16.0 and earlier are impacted. The vendor is Devolutions.

Risk and Exploitability

Because the flaw can be triggered with only a standard authenticated session and requires no special privileges beyond a PAM license, the likelihood of exploitation is high in environments where such licenses are used. Attackers would craft requests to the PAM API to obtain OTP secrets and recovery codes, which could then be used to compromise other systems or accounts. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog, but the exposed critical credentials make the risk significant. The CVSS score is not provided, yet the potential impact on confidentiality and authentication integrity warrants high concern.

Generated by OpenCVE AI on May 12, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a version that fixes the PAM module authorization flaw (any release newer than 2026.1.11.0).
  • If an immediate upgrade is not feasible, limit PAM license users to the minimal set of permissions required for their role and revoke the ability to call API endpoints that disclose OTP secrets and recovery codes.
  • Ensure that the PAM API validates user permissions rigorously and that only explicitly authorized accounts can access OTP information.

Generated by OpenCVE AI on May 12, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Missing Authorization in PAM Module Exposes OTP Secrets in Devolutions Server

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2025.3.16.0 and earlier
Weaknesses CWE-862
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-05-12T16:16:50.924Z

Reserved: 2026-05-12T16:10:27.403Z

Link: CVE-2026-8407

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T17:16:22.043

Modified: 2026-05-12T17:16:22.043

Link: CVE-2026-8407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:00:12Z

Weaknesses