Description
Missing authorization in the vault import feature in Devolutions Server  2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
Published: 2026-05-22
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in the vault import feature allows a low‑privileged authenticated user to create new vaults through a crafted import request. This flaw enables the user to create vaults that the system normally restricts, effectively granting elevated data‑storage permissions and potentially compromising confidentiality or integrity by allowing unauthorized data persistence.

Affected Systems

Devolutions Server 2026.1.16.0 and all earlier releases are affected.

Risk and Exploitability

The vulnerability can be exploited by any authenticated user without special privileges, requiring only a crafted import request. No public exploit has been reported yet, and the EPSS score is not available, but the lack of authorization check indicates a clear path to privilege escalation. The CVSS score of 4.3 indicates moderate severity. The flaw is not listed in the CISA KEV catalog, suggesting it is still early in its lifecycle but could be a moderate-impact issue for organizations relying on rigorous access controls.

Generated by OpenCVE AI on May 22, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enforce role‑based access controls to remove import‑feature permissions from low‑privileged accounts so that only administrators can import vaults.
  • Temporarily block or restrict the vault‑import endpoint for non‑admin users using network controls or API gateway rules until an official fix is released.
  • Regularly monitor Devolutions security advisories and check the vendor’s website for updates to apply a patch as soon as it becomes available.

Generated by OpenCVE AI on May 22, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Vault Creation via Import in Devolutions Server

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Vault Creation via Import in Devolutions Server
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Missing authorization in the vault import feature in Devolutions Server  2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
Weaknesses CWE-284
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-05-22T16:57:45.787Z

Reserved: 2026-05-21T17:45:27.444Z

Link: CVE-2026-9223

cve-icon Vulnrichment

Updated: 2026-05-22T16:57:40.335Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T20:00:13Z

Weaknesses