Improper access control in Devolutions Server's entry documentation and attachment features allows an authenticated user with vault read access to retrieve documentation and attachments of sealed entries via a crafted API request. The flaw is a missing authorization issue (CWE-862) that can lead to unauthorized disclosure of sensitive sealed entry content, compromising confidentiality. The vulnerability does not allow arbitrary code execution or privilege escalation beyond the permissions of the authenticated user with vault read rights.

Devolutions Server versions 2026.1.6.0 through 2026.1.16.0 and all 2025.3.20.0 releases and earlier are affected. Users running these releases must verify their server version and check for available updates. Actively using prior or current versions exposes the application to the described access control deficiency.

The vulnerability requires an authenticated account with vault read privileges, which is a common access level in many deployments. Attackers can craft an API request to retrieve the sealed entry documentation, making exploitation straightforward once authentication is obtained. The assessed CVSS score of 4.3 reflects a moderate risk level. No EPSS data is available, and the vulnerability is not listed in CISA KEV, indicating no known widespread exploits are publicly identified. However, the impact of data disclosure is significant and the attack vector—a crafted API call—is likely to be used by malicious insiders or compromised accounts. Organizations should treat this as a moderate to high risk, especially where sealed entries contain sensitive information.