PatchSiren cyber security CVE debrief
CVE-2026-11890 Devolutions CVE debrief
CVE-2026-11890 is an Improper access control vulnerability affecting Devolutions Server versions 2026.2.5 and 2026.1.21. The vulnerability allows an authenticated user to retrieve account discovery scan results. The CVE was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-11890) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-11890).
- Vendor
- Devolutions
- Product
- Devolutions Server
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of Devolutions Server versions 2026.2.5 and 2026.1.21 should apply patches or mitigations to prevent exploitation.
Technical summary
The vulnerability is caused by improper access control in PAM account discovery. An authenticated user can exploit this vulnerability to retrieve account discovery scan results.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by Devolutions to address the vulnerability.
- Restrict access to account discovery scan results to authorized personnel only.
- Monitor Devolutions Server logs for suspicious activity.
Evidence notes
The CVE was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-11890) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-11890). The vulnerability affects Devolutions Server versions 2026.2.5 and 2026.1.21.
Official resources
-
CVE-2026-11890 CVE record
CVE.org
-
CVE-2026-11890 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-11890 was published on 2026-06-16T20:16:27.227Z and last modified on 2026-06-16T20:41:35.520Z.