Description
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request.

This issue affects :

* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
Published: 2026-05-22
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can trigger a crafted password change request that does not validate the user's current password, allowing the target account to be reset without authentication. This flaw permits remote alteration of an account’s password, potentially enabling an attacker to take control of that account if the new password is known or guessed. The weakness is a direct authentication bypass classified as CWE‑620.

Affected Systems

Devolutions Server versions 2026.1.6.0 through 2026.1.16.0 and 2025.3.20.0 and all earlier releases. All affected installations expose the vulnerable password‑change endpoint without requiring prior authentication.

Risk and Exploitability

The CVSS score of 3.1 indicates low severity, the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network request to the password‑change API, and exploitation requires no special privileges beyond sending a crafted request.

Generated by OpenCVE AI on May 22, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a patched release newer than 2026.1.16.0, ensuring the password‑change endpoint verifies the current password or requires proper authentication.
  • If an upgrade is not immediately possible, configure the server to restrict the password‑change endpoint to authenticated sessions only, preventing anonymous or unauthenticated requests.
  • Enable multi‑factor authentication for all Devolutions Server accounts, adding an additional barrier against unauthorized account takeover.

Generated by OpenCVE AI on May 22, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 19:45:00 +0000

Type Values Removed Values Added
Title Unverified Password Reset in Devolutions Server Allowing Password Change Without Current Password

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unverified Password Reset in Devolutions Server Allowing Password Change Without Current Password
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Weaknesses CWE-620
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-05-22T16:54:12.579Z

Reserved: 2026-05-21T19:44:50.416Z

Link: CVE-2026-9249

cve-icon Vulnrichment

Updated: 2026-05-22T16:54:04.255Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T19:30:44Z

Weaknesses