Description
Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.

This issue affects :

* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
Published: 2026-05-22
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Devolutions Server contains a missing authorization check in the user profile update feature, allowing an authenticated Active Directory user to alter their own profile attributes via a crafted API request. The vulnerability is classified as CWE‑862 (Missing Authorization). Changing profile attributes can affect user permissions or other security‑relevant settings, although it is confined to the user’s own account and does not grant broader system privileges.

Affected Systems

Devolutions Server versions 2026.1.6.0 through 2026.1.16.0 and all 2025.3.20.0 releases and earlier are impacted.

Risk and Exploitability

The exploit requires only that the user be authenticated to the server. No additional privileges or network access are necessary. Because the attack vector is an API call and the effect is limited to the modifying user’s own profile, the risk is moderate. The CVSS score of 4.3 confirms this moderate risk. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, indicating limited current exploitation activity.

Generated by OpenCVE AI on May 22, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Devolutions Server to the latest version that contains the fix, such as 2026.1.17.0 or later.
  • If a patch cannot be applied immediately, restrict access to the user profile update API so that only administrators can invoke it, and review the account permissions to ensure that regular users cannot call the endpoint.
  • Implement monitoring to detect unexpected changes to user profiles and review change logs for unauthorized modifications.

Generated by OpenCVE AI on May 22, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Authenticated Users Can Modify Profile Attributes Without Authorization in Devolutions Server

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authenticated Users Can Modify Profile Attributes Without Authorization in Devolutions Server
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Weaknesses CWE-862
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-05-22T16:53:32.882Z

Reserved: 2026-05-21T17:54:29.652Z

Link: CVE-2026-9224

cve-icon Vulnrichment

Updated: 2026-05-22T16:53:25.763Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T19:00:15Z

Weaknesses