An authentication bypass flaw in the permission validation component of Devolutions Server allows an authenticated user with entry edit privileges to modify asset information without the required permission. The vulnerability represents a classic example of improper access control, enabling an attacker who can log in to the system to alter critical asset data that it should not be able to. Changes made by the attacker could undermine data integrity and potentially mislead other users or processes that rely on accurate asset information.

This issue affects Devolutions Server 2026.1.19 and all earlier releases. Users running these or earlier versions are susceptible until a patch or newer version is applied.

The flaw requires local or remote authentication and a user with entry edit rights, implying that the attack vector is internal. No public exploit has been documented, and EPSS data is unavailable; the vulnerability is not listed in CISA KEV. The risk is that authenticated users can compromise asset data integrity, with potential cascading effects on operations or reporting. While the lack of a documented public exploit moderates immediate external risk, the severity of enabling unauthorized data modification warrants prompt remediation.