This vulnerability is an authorization bypass in Devolutions Server's entry duplication feature that lets an authenticated user with write access to any vault copy documentation and attachments from an entry in a vault they cannot normally read. The attacker can trigger the copy by sending a crafted save request, thereby gaining unauthorized access to sensitive data. The weakness corresponds to CWE‑639, which represents a flaw in checking the user’s privileges before allowing the operation, resulting in an information disclosure scenario.

The affected software is Devolutions Server, with all releases from 2026.1.6.0 to 2026.1.16.0 and all 2025.3.20.0 releases and earlier vulnerable to this flaw.

The CVSS score of 2.6 indicates low severity. The EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, which suggests no known public exploitation yet. However, the flaw allows any authenticated user who has write permissions on a vault to bypass authorization and retrieve contents from another vault, so the attack can be executed by users with the right privileges. The low CVSS score still reflects a low risk, but unauthorized duplication of sensitive data can be significant in certain contexts. The vulnerability can be triggered by mocking a save request via the web interface or API, requiring only knowledge of the target vault identifiers and the ability to submit an HTTP request.