PatchSiren cyber security CVE debrief
CVE-2026-10786 Devolutions CVE debrief
CVE-2026-10786 is a MEDIUM-severity vulnerability in Devolutions Server, with a CVSS score of 6.5. The issue, described as improper access control in the ticketing integration settings, allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request.
- Vendor
- Devolutions
- Product
- Server
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-12
Who should care
Users of Devolutions Server, particularly those with ticketing integrations configured, should be aware of this vulnerability. An authenticated low-privileged user could exploit this issue to obtain sensitive credentials.
Technical summary
The vulnerability affects Devolutions Server versions 2026.2.4.0 and 2026.1.20.0 and earlier. It is characterized by CWE-312, Cleartext Storage of Sensitive Information. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a network attack vector with low privileges required.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a non-vulnerable version of Devolutions Server if available.
- Review and restrict API access for low-privileged users.
- Monitor for suspicious API requests that could indicate exploitation attempts.
Evidence notes
Evidence from the NVD and CVE.org confirms the details of this vulnerability. Devolutions has provided a vendor advisory (see ref-4).
Official resources
-
CVE-2026-10786 CVE record
CVE.org
-
CVE-2026-10786 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-10786 was published on 2026-06-08T19:16:34.430Z and modified on 2026-06-12T17:56:50.630Z.