Description
Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request.

This issue affects :

* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
Published: 2026-05-22
Score: 2.4 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from insufficient logging in the entry export feature of Devolutions Server. An authenticated user with export permissions can craft a request that exports a sealed entry without triggering the unseal notification that is normally sent to administrators. This flaw enables an insider or compromised account to disclose sensitive credential information while remaining undetected by administrative monitoring systems, thereby compromising confidentiality. The weakness falls under CWE‑778: Insufficient Logging or Monitoring.

Affected Systems

The affected product is Devolutions Server. Vulnerable versions include 2026.1.6.0 through 2026.1.16.0 as well as all releases 2025.3.20.0 or earlier.

Risk and Exploitability

The risk is that privileged users could exfiltrate sealed credentials without triggering audit alerts. The CVSS score is 2.4, the EPSS score is not available, and the vulnerability is not listed in CISA KEV, indicating that publicly available exploits have not been identified. Attackers would need legitimate export permissions; the vector is internal, but the impact on data confidentiality remains high. Due to the lack of public exploits and the requirement for specific permissions, the likelihood of exploitation is uncertain but could be significant in environments where export rights are improperly assigned.

Generated by OpenCVE AI on May 22, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a version equal to or newer than 2026.1.17.0, which removes the logging flaw in the export feature.
  • Restrict export permissions by role so that only trusted users can export sealed entries, or disable the export of sealed entries entirely if not required for business processes.
  • Enable or augment audit logging for export actions so that any future export attempts are recorded and can be reviewed, and configure alerts to notify administrators of such activity.

Generated by OpenCVE AI on May 22, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Weaknesses CWE-778
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-05-22T16:55:53.773Z

Reserved: 2026-05-21T19:43:58.365Z

Link: CVE-2026-9247

cve-icon Vulnrichment

Updated: 2026-05-22T16:55:46.725Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T18:30:42Z

Weaknesses