Devolutions

By the Year

In 2026 there have been 22 vulnerabilities in Devolutions with an average score of 7.1 out of ten. Last year, in 2025 Devolutions had 34 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Devolutions in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.06.

Recent Devolutions Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-4989	Apr 01, 2026	Devolutions Server 2026.1.11 SSRF via Gateway Health Check API Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.
CVE-2026-5175	Apr 01, 2026	Devolutions Server MFA API Access Control Flaw 2026.1.6-2026.1.11 Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.  This issue affects Server: from 2026.1.6 through 2026.1.11.
CVE-2026-4925	Apr 01, 2026	Devolutions Server 2026.1.6-2026.1.11 MFA Access Control Bypass Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request. This issue affects Server: from 2026.1.6 through 2026.1.11.
CVE-2026-4927	Apr 01, 2026	Devolutions Server 2026.1.6-11: MFA API discloses OTP keys to privileged users Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11.
CVE-2026-4924	Apr 01, 2026	Improper 2FA Auth in Devolutions Server 2026.1.11 and Prior Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token.
CVE-2026-4828	Apr 01, 2026	Devolutions Server <2026.1.11 MFA Bypass via OAuth Auth Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
CVE-2026-4829	Apr 01, 2026	Devolutions Server 2026.1.11 Improper Auth in OAuth Flow (Session Code Reuse) Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.
CVE-2026-4434	Mar 20, 2026	pam-winrm Improper Cert Validation Allows MITM via WinRM Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.
CVE-2026-4396	Mar 18, 2026	Devolutions Hub Reporting Service 2025.3.1.1 MITM via TLS cert bypass Improper certificate validation in Devolutions Hub Reporting Service 2025.3.1.1 and earlier allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.
CVE-2026-3563	Mar 17, 2026	PowerShell Universal <2026.1.4: Improper Input Validation Routing DoS Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path.
CVE-2026-4064	Mar 17, 2026	PowerShell Universal <2026.1.4 gRPC Auth Bypass CVE-2026-4064 Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations including reading sensitive data, creating or deleting resources, and disrupting service operations via crafted gRPC requests.
CVE-2026-3638	Mar 09, 2026	Low-Priv Auth Restores Users/roles via API on Devolutions Server 2025.3.11.0 Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.
CVE-2026-3130	Mar 03, 2026	Devolutions Server 2025.3.15: Auth Bulk Delete Triggers CheckedOut PAM Removal Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
CVE-2026-3204	Mar 03, 2026	Devolutions Server 2025.3.15 Improper Validation Spoofing (Err Msg Page) Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
CVE-2026-2590	Mar 03, 2026	Disable-Password-Saving not enforced in Devolutions RDM 2025.3.30 (Connection Entry) Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users, by creating or editing certain connection types while password saving is disabled.	Remote Desktop Manager
CVE-2026-3224	Mar 03, 2026	Devolutions Server 2025.3.15.0: Auth bypass via forged JWT (Entra ID) Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
CVE-2026-3277	Feb 27, 2026	Cleartext OIDC Client Secret in PowerShell Universal < 2026.1.3 The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stores the OIDC client secret in cleartext in the .universal/authentication.ps1 script, which allows an attacker with read access to that file to obtain the OIDC client credentials
CVE-2026-3221	Feb 25, 2026	Devolutions Server 2025.3.14: Unencrypted user data in DB (CVE-2026-3221) Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access.
CVE-2026-1007	Jan 19, 2026	Devolutions Server 2025.3.1-12 VG Auth Bypass Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
CVE-2026-0610	Jan 19, 2026	SQL Injection in Devolutions Server 2025.3.1-2025.3.12 remote-sessions SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12
CVE-2026-0747	Jan 08, 2026	Devolutions RD Manager <2025.3.29: Pwd leak via TeamViewer entry mask on Win Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing.	Remote Desktop Manager
CVE-2026-0618	Jan 07, 2026	XSS in Devolutions PowerShell Universal <5.6.13 / <4.5.6 Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.
CVE-2025-13683	Nov 28, 2025	Devolutions Server/Remote Desktop Manager Credential Leak 2025.3.8/2025.3.23 Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.	Remote Desktop Manager
CVE-2025-13758	Nov 27, 2025	Devolutions Server <=2025.3.8 Creds Exposure via Unintended Requests Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.	Devolutions Server
CVE-2025-13757	Nov 27, 2025	SQL Injection in Devolutions Server before 2025.3.8 SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8.	Devolutions Server
CVE-2025-13765	Nov 27, 2025	Devolutions Server <2025.2.21 & <2025.3.9: Non-Admin Credential Exposure Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.	Devolutions Server
CVE-2025-12485	Nov 06, 2025	Devolutions Server 2025.3.5 PreMFA Cookie Privilege Escalation Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier	Devolutions Server
CVE-2025-12808	Nov 06, 2025	Devolutions Server <2025.3.5.0: View-only can pull password custom values Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier	Devolutions Server
CVE-2025-11957	Oct 22, 2025	Devolutions Server 2025.2.12.0: Improper Auth in Temp Access via API Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests.	Devolutions Server
CVE-2025-11958	Oct 22, 2025	DoS via crafted request in Sec. Dashboard ignored-tasks API Devolutions Server 2025.2.15 An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboard via a crafted request.	Devolutions Server
CVE-2025-11619	Oct 15, 2025	Devolutions Server 2025.3.2-and-earlier: Improper Cert Validation Enables MitM Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to intercept traffic.	Devolutions Server
CVE-2025-8312	Jul 30, 2025	Deadlock bypasses PAM checkin to keep passwords valid in Devolutions <=2025.2.5.0 Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) : * Devolutions Server 2025.2.2.0 through 2025.2.5.0 * Devolutions Server 2025.1.12.0 and earlier	Devolutions Server
CVE-2025-8353	Jul 30, 2025	Devolutions Server 2025.2.4.0 and earlier: UI Sync RCE in JIT Approval UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing.	Devolutions Server
CVE-2025-6523	Jul 22, 2025	Auth Bypass via weak emergency codes in Devolutions Server 2025.2.2.0-2025.2.3.0 Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe. This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.3.0 * Devolutions Server 2025.1.11.0 and earlier	Devolutions Server
CVE-2025-6741	Jul 22, 2025	Unauth Access to Secure Message Attachments in Devolutions Server V2025.2.2-4 Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.4.0 * Devolutions Server 2025.1.11.0 and earlier	Devolutions Server
CVE-2025-5382	Jun 05, 2025	Devolutions Server MFA Admin Access Control Flaw – 2025.1.7.0 & earlier Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.	Devolutions Server
CVE-2025-3768	Jun 05, 2025	Devolutions Server 2025.1.10.0 – Tor Block Access Control Issue Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.	Devolutions Server
CVE-2025-0691	Jun 05, 2025	Improper Access Control in Devolutions Server before 2025.1.10.0 Permissions Component Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.	Devolutions Server
CVE-2025-4433	May 30, 2025	Privilege Escalation via Improper Access Control in Devolutions Server 2025.1.7 Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both "User Management" and "User Group Management" permissions to perform privilege escalation by adding users to groups with administrative privileges.	Devolutions Server
CVE-2025-5334	May 29, 2025	Remote Desktop Manager <=2025.1.34.0 User Vaults Leak Data; Unauthorized Access Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager allows an authenticated user to gain unauthorized access to private personal information. Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users. This issue affects the following versions : * Remote Desktop Manager Windows 2025.1.34.0 and earlier * Remote Desktop Manager macOS 2025.1.16.3 and earlier * Remote Desktop Manager Android 2025.1.3.3 and earlier * Remote Desktop Manager iOS 2025.1.6.0 and earlier	Remote Desktop Manager
CVE-2025-4493	May 28, 2025	Devolutions Server (v2025.1.3-2025.1.7) Improper PAM JIT Privilege Assignment Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on unauthorized groups by exploiting a user interface issue. This issue affects the following versions :  * Devolutions Server 2025.1.3.0 through 2025.1.7.0 * Devolutions Server 2024.3.15.0 and earlier	Devolutions Server
CVE-2025-4316	May 05, 2025	Devolutions Server 2025.1.3.0-2025.1.6.0: PAM Self-Approval Access Control Flaw Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.	Devolutions Server
CVE-2025-3517	May 01, 2025	Privilege Escalation via PAM JIT in Devolutions Server 2025.1.5.0 Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal accounts SID when updating the username.	Devolutions Server
CVE-2025-2600	Mar 26, 2025	Remote Desktop Manager 2025.1.24-25 Improper Authorization of ELEVATED_PASSWORD Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated password to use the ELEVATED_PASSWORD variable even though not allowed by the "Allow password in variable policy". This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2528	Mar 26, 2025	Improper Auth: Remote Desktop Manager 2025.1.24-2025.1.25 Bypass-PW Policy Improper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a configuration different from the one mandated by the system administrators. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2562	Mar 26, 2025	Insufficient Logging in Devolutions RDM Autotyping (2025.1.24-25, <=2024.3.29) Insufficient logging in the autotyping feature in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a stored password without generating a corresponding log event, via the use of the autotyping functionality. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2499	Mar 26, 2025	Client-Side ACL Bypass in Devolutions RM 2025.1.24-25 Permissions Client side access control bypass in the permission component in Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictionsspecifically View Password, Edit Asset, and Edit Permissions by performing specific actions. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2280	Mar 13, 2025	Improper ACL in Devolutions Server 2024.3.4.0 Web Ext Restriction Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature.	Devolutions Server
CVE-2025-2278	Mar 13, 2025	Devolutions Server 2024.3.13 – Improper Access on Temp & Checkout Endpoints Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.	Devolutions Server
CVE-2025-2277	Mar 13, 2025	Devolutions Server <=2024.3.13 Leaks SSH Password via Web Auth Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking.	Devolutions Server