The vulnerability originates in Devolutions Server's sealed‑entry workflow. An authenticated user who has permission to a sealed entry can craft a specific API request that retrieves the entry's sensitive data without generating the expected unseal audit notification. Because the audit mechanism is bypassed, the user can read protected data while remaining undetected, potentially compromising the confidentiality of information stored in the server. The weakness is classified as CWE‑841, improper handling of sensitive data.

Affected are Devolutions Server 2026.1.6.0 through 2026.1.16.0 and 2025.3.20.0 and any earlier releases. Administrators managing these product versions should verify their deployments fall within the impacted range.

The exploit requires an authenticated account with access to a sealed entry and the ability to send custom API requests; no elevation of privilege is needed. The attack surface is limited to users who already have entry access, but for those users it allows direct read of protected data. EPSS is not available and the flaw is not listed in CISA KEV, so public exploit activity is not yet recorded, yet the potential for abuse remains high given the sensitivity of the data and lack of audit detection. Affected sites should consider the risk substantial until a vendor fix is applied. The CVSS score of 2.7 indicates low severity, but the lack of audit notification remains a concern.