Description
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link.

This issue affects :

* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
Published: 2026-05-22
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input validation in Devolutions Server's external authentication provider flow can be exploited by unauthenticated attackers to craft a login link that redirects users to an attacker‑controlled domain.

Affected Systems

Devolutions Server versions 2026.1.6.0 through 2026.1.16.0 and all releases 2025.3.20.0 and earlier are affected.

Risk and Exploitability

The flaw permits remote exploitation without authentication; an attacker can manually create the malicious login link using the vulnerable flow. The CVSS score is 5.0, indicating moderate severity, but the lack of authentication requirement keeps the risk significant. EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Because the exploit requires no privileged access or special conditions beyond control of the login link, the risk remains high for any environment that relies on the external authentication provider.

Generated by OpenCVE AI on May 22, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a release newer than 2026.1.16.0, as indicated by the vendor’s advisories
  • If an immediate patch is not possible, disable or restrict the external authentication provider flow until the update is applied
  • Temporarily block or filter redirects to domains not recognized in the company’s approved list via web filtering or firewall rules

Generated by OpenCVE AI on May 22, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 19:45:00 +0000

Type Values Removed Values Added
Title Open Redirect Vulnerability in Devolutions Server External Authentication Provider

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Open Redirect Vulnerability in Devolutions Server External Authentication Provider
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Weaknesses CWE-601
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-05-22T16:54:56.535Z

Reserved: 2026-05-21T19:34:42.016Z

Link: CVE-2026-9245

cve-icon Vulnrichment

Updated: 2026-05-22T16:54:50.337Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T19:30:44Z

Weaknesses