Description
Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request.

This issue affects :

* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
Published: 2026-05-22
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization in the entry status management feature of Devolutions Server. It allows a non‑administrator authenticated user, by sending a crafted status change request, to bypass the administrator‑enforced Pending Approval flow and obtain the data of the targeted entry. This flaw enables unauthorized disclosure of sensitive information stored in entries that would normally require administrative approval to be viewed. The weakness type is Missing Authorization (CWE‑862).

Affected Systems

Devolutions Server versions 2025.3.20.0 and all releases up to 2026.1.16.0 are affected. Any deployment of these versions that has non‑administrator users who can interact with the status change endpoint is at risk.

Risk and Exploitability

Because the flaw only requires authentication and the ability to submit a status change request, any regular user with appropriate network access to the server can exploit it. No public exploit is currently known, and the EPSS score is not available, but the absence of authorization control raises the likelihood of misuse. The CVSS score is 5.4. The vulnerability is not listed in the CISA KEV catalog, yet its potential for data leakage makes it a high‑priority concern for organizations using Devolutions Server.

Generated by OpenCVE AI on May 22, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to the latest version (2026.1.16.0 or later) where the authorization check is restored.
  • Revoke or severely limit the privileges of non‑administrator accounts that can interact with entry status endpoints until the patch is applied.
  • Enable and regularly review audit logging for status change operations to detect any unauthorized activity.

Generated by OpenCVE AI on May 22, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Missing Authorization Allows Non‑Administrator Users to Bypass Approval Flow and Access Entry Data

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Missing Authorization Allows Non‑Administrator Users to Bypass Approval Flow and Access Entry Data
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Weaknesses CWE-862
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-05-22T16:49:29.562Z

Reserved: 2026-05-21T20:03:12.616Z

Link: CVE-2026-9251

cve-icon Vulnrichment

Updated: 2026-05-22T16:49:20.312Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T20:00:13Z

Weaknesses