Description
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
Published: 2026-06-02
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated non‑administrator can delete network discovery scan configurations because the PAM account discovery feature in Devolutions Server lacks proper access control. Removing these configurations disables the server’s ability to automatically identify and inventory devices on the network, thus disrupting visibility. The vulnerability does not grant remote code execution or elevate privileges beyond the existing non‑admin credentials.

Affected Systems

Devolutions Server version 2026.1.19 and all earlier releases are affected. The impact applies across all deployments of that software family.

Risk and Exploitability

The exploit requires valid non‑administrator credentials; no additional conditions such as network access or elevation are mentioned. The CVSS score of 5.4 indicates moderate severity, the EPSS score is unavailable, and the vulnerability is not listed in CISA KEV, so the overall risk cannot be quantified precisely. Nonetheless, the loss of network discovery capability can affect operational monitoring and inventory processes for systems that rely on the server.

Generated by OpenCVE AI on June 3, 2026 at 04:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to the latest release that contains the fix for CVE‑2026‑9522.
  • Adjust role‑based permissions so that only administrator accounts are allowed to delete network discovery scan configurations.
  • Enable and review audit logs for configuration changes to detect unauthorized deletions.

Generated by OpenCVE AI on June 3, 2026 at 04:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Title Authenticated User Can Delete Network Discovery Scan Configurations in Devolutions Server

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Tue, 02 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Authenticated User Can Delete Network Discovery Scan Configurations in Devolutions Server
Weaknesses CWE-284

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
References

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-02T19:37:10.123Z

Reserved: 2026-05-25T19:20:49.940Z

Link: CVE-2026-9522

cve-icon Vulnrichment

Updated: 2026-06-02T19:36:33.193Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-02T16:16:45.873

Modified: 2026-06-02T20:54:12.140

Link: CVE-2026-9522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:45:25Z

Weaknesses